Quick start¶
Default configuration¶
To apply default security headers to all responses:
Installation
From
pip
pip install django-security-headers
To access the
scan
function fromhttpobs
, add the following to your project’s dev requirements-e git+https://github.com/jsumnerPhD/http-observatory#egg=httpobs
Add the
csp
,security_headers
middlewares. For Django 1.11, also add thesamesite
middlewareMIDDLEWARES = [ "django.middleware.security.SecurityMiddleware", "csp.middleware.CSPMiddleware", "security_headers.middleware.extra_security_headers_middleware", "django_cookies_samesite.middleware.CookiesSameSite", # Not needed for Django 2.2 ... ]
Add the default
csp
andsecurity_headers
settings by importing the defaults to your localsettings.py
from security_headers.defaults import *
Add
security_headers
to yourINSTALLED_APPS
.INSTALLED_APPS = [ ... "security_headers", ... ]
This will expose a simple admin interface for specifying safe domains.
Optional configuration¶
If you included step 1b, you can add a scan link to urls.py
. Accessing this link will run a scan against https://127.0.0.1:8000/<path>
where the path is determined from reversing url_name
. Note that the sslserver must be running in parallel to the request.
from security_headers.views import scan_url
if settings.DEBUG:
urlpatterns += i18n_patterns(
url(r"^security/(?P<url_name>[\w-]+)/", scan_url, name="scan")
)
For newer Django syntax
urlpatterns += [path("security/<slug:url_name>/", scan_url, name="scan")]
To access template tags provided by django-csp
, add csp
to INSTALLED_APPS
INSTALLED_APPS = [
...
"security_headers",
"csp",
...
]
To use the sslserver (provided by django-sslserver through ./manage.py runsslserver
)
INSTALLED_APPS = [
...
"security_headers",
"csp",
"sslserver",
...
]
Development settings¶
During development, you will need to overwrite some default settings if not using the ssl server. At the very end of your settings.py
file, include
if "runsslserver" in sys.argv:
SSL_CONTEXT = True
SECURE_HSTS_SECONDS = 3600
else:
SSL_CONTEXT = False
SECURE_HSTS_SECONDS = 0
CSRF_COOKIE_NAME = 'csrftoken'
CSRF_COOKIE_SECURE = SSL_CONTEXT
SECURE_SSL_REDIRECT = SSL_CONTEXT
SESSION_COOKIE_SECURE = SSL_CONTEXT
Reducing SECURE_HSTS_SECONDS
time is also a good idea during development.