irakha63255
/
Web_engingeering
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Web_engingeering/news/venv/lib/python3.7/site-packages/django/core/checks/security/base.py

base.py 6.6KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 
  1. from django.conf import settings

  2. 

  3. from .. import Tags, Warning, register

  4. 

  5. SECRET_KEY_MIN_LENGTH = 50

  6. SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5

  7. 

  8. W001 = Warning(

  9.     "You do not have 'django.middleware.security.SecurityMiddleware' "

  10.     "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "

  11.     "SECURE_CONTENT_TYPE_NOSNIFF, "

  12.     "SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings "

  13.     "will have no effect.",

  14.     id='security.W001',

  15. )

  16. 

  17. W002 = Warning(

  18.     "You do not have "

  19.     "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "

  20.     "MIDDLEWARE, so your pages will not be served with an "

  21.     "'x-frame-options' header. Unless there is a good reason for your "

  22.     "site to be served in a frame, you should consider enabling this "

  23.     "header to help prevent clickjacking attacks.",

  24.     id='security.W002',

  25. )

  26. 

  27. W004 = Warning(

  28.     "You have not set a value for the SECURE_HSTS_SECONDS setting. "

  29.     "If your entire site is served only over SSL, you may want to consider "

  30.     "setting a value and enabling HTTP Strict Transport Security. "

  31.     "Be sure to read the documentation first; enabling HSTS carelessly "

  32.     "can cause serious, irreversible problems.",

  33.     id='security.W004',

  34. )

  35. 

  36. W005 = Warning(

  37.     "You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. "

  38.     "Without this, your site is potentially vulnerable to attack "

  39.     "via an insecure connection to a subdomain. Only set this to True if "

  40.     "you are certain that all subdomains of your domain should be served "

  41.     "exclusively via SSL.",

  42.     id='security.W005',

  43. )

  44. 

  45. W006 = Warning(

  46.     "Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "

  47.     "so your pages will not be served with an "

  48.     "'X-Content-Type-Options: nosniff' header. "

  49.     "You should consider enabling this header to prevent the "

  50.     "browser from identifying content types incorrectly.",

  51.     id='security.W006',

  52. )

  53. 

  54. W007 = Warning(

  55.     "Your SECURE_BROWSER_XSS_FILTER setting is not set to True, "

  56.     "so your pages will not be served with an "

  57.     "'X-XSS-Protection: 1; mode=block' header. "

  58.     "You should consider enabling this header to activate the "

  59.     "browser's XSS filtering and help prevent XSS attacks.",

  60.     id='security.W007',

  61. )

  62. 

  63. W008 = Warning(

  64.     "Your SECURE_SSL_REDIRECT setting is not set to True. "

  65.     "Unless your site should be available over both SSL and non-SSL "

  66.     "connections, you may want to either set this setting True "

  67.     "or configure a load balancer or reverse-proxy server "

  68.     "to redirect all connections to HTTPS.",

  69.     id='security.W008',

  70. )

  71. 

  72. W009 = Warning(

  73.     "Your SECRET_KEY has less than %(min_length)s characters or less than "

  74.     "%(min_unique_chars)s unique characters. Please generate a long and random "

  75.     "SECRET_KEY, otherwise many of Django's security-critical features will be "

  76.     "vulnerable to attack." % {

  77.         'min_length': SECRET_KEY_MIN_LENGTH,

  78.         'min_unique_chars': SECRET_KEY_MIN_UNIQUE_CHARACTERS,

  79.     },

  80.     id='security.W009',

  81. )

  82. 

  83. W018 = Warning(

  84.     "You should not have DEBUG set to True in deployment.",

  85.     id='security.W018',

  86. )

  87. 

  88. W019 = Warning(

  89.     "You have "

  90.     "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "

  91.     "MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "

  92.     "The default is 'SAMEORIGIN', but unless there is a good reason for "

  93.     "your site to serve other parts of itself in a frame, you should "

  94.     "change it to 'DENY'.",

  95.     id='security.W019',

  96. )

  97. 

  98. W020 = Warning(

  99.     "ALLOWED_HOSTS must not be empty in deployment.",

  100.     id='security.W020',

  101. )

  102. 

  103. W021 = Warning(

  104.     "You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "

  105.     "your site cannot be submitted to the browser preload list.",

  106.     id='security.W021',

  107. )

  108. 

  109. 

  110. def _security_middleware():

  111.     return 'django.middleware.security.SecurityMiddleware' in settings.MIDDLEWARE

  112. 

  113. 

  114. def _xframe_middleware():

  115.     return 'django.middleware.clickjacking.XFrameOptionsMiddleware' in settings.MIDDLEWARE

  116. 

  117. 

  118. @register(Tags.security, deploy=True)

  119. def check_security_middleware(app_configs, **kwargs):

  120.     passed_check = _security_middleware()

  121.     return [] if passed_check else [W001]

  122. 

  123. 

  124. @register(Tags.security, deploy=True)

  125. def check_xframe_options_middleware(app_configs, **kwargs):

  126.     passed_check = _xframe_middleware()

  127.     return [] if passed_check else [W002]

  128. 

  129. 

  130. @register(Tags.security, deploy=True)

  131. def check_sts(app_configs, **kwargs):

  132.     passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS

  133.     return [] if passed_check else [W004]

  134. 

  135. 

  136. @register(Tags.security, deploy=True)

  137. def check_sts_include_subdomains(app_configs, **kwargs):

  138.     passed_check = (

  139.         not _security_middleware() or

  140.         not settings.SECURE_HSTS_SECONDS or

  141.         settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True

  142.     )

  143.     return [] if passed_check else [W005]

  144. 

  145. 

  146. @register(Tags.security, deploy=True)

  147. def check_sts_preload(app_configs, **kwargs):

  148.     passed_check = (

  149.         not _security_middleware() or

  150.         not settings.SECURE_HSTS_SECONDS or

  151.         settings.SECURE_HSTS_PRELOAD is True

  152.     )

  153.     return [] if passed_check else [W021]

  154. 

  155. 

  156. @register(Tags.security, deploy=True)

  157. def check_content_type_nosniff(app_configs, **kwargs):

  158.     passed_check = (

  159.         not _security_middleware() or

  160.         settings.SECURE_CONTENT_TYPE_NOSNIFF is True

  161.     )

  162.     return [] if passed_check else [W006]

  163. 

  164. 

  165. @register(Tags.security, deploy=True)

  166. def check_xss_filter(app_configs, **kwargs):

  167.     passed_check = (

  168.         not _security_middleware() or

  169.         settings.SECURE_BROWSER_XSS_FILTER is True

  170.     )

  171.     return [] if passed_check else [W007]

  172. 

  173. 

  174. @register(Tags.security, deploy=True)

  175. def check_ssl_redirect(app_configs, **kwargs):

  176.     passed_check = (

  177.         not _security_middleware() or

  178.         settings.SECURE_SSL_REDIRECT is True

  179.     )

  180.     return [] if passed_check else [W008]

  181. 

  182. 

  183. @register(Tags.security, deploy=True)

  184. def check_secret_key(app_configs, **kwargs):

  185.     passed_check = (

  186.         getattr(settings, 'SECRET_KEY', None) and

  187.         len(set(settings.SECRET_KEY)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS and

  188.         len(settings.SECRET_KEY) >= SECRET_KEY_MIN_LENGTH

  189.     )

  190.     return [] if passed_check else [W009]

  191. 

  192. 

  193. @register(Tags.security, deploy=True)

  194. def check_debug(app_configs, **kwargs):

  195.     passed_check = not settings.DEBUG

  196.     return [] if passed_check else [W018]

  197. 

  198. 

  199. @register(Tags.security, deploy=True)

  200. def check_xframe_deny(app_configs, **kwargs):

  201.     passed_check = (

  202.         not _xframe_middleware() or

  203.         settings.X_FRAME_OPTIONS == 'DENY'

  204.     )

  205.     return [] if passed_check else [W019]

  206. 

  207. 

  208. @register(Tags.security, deploy=True)

  209. def check_allowed_hosts(app_configs, **kwargs):

  210.     return [] if settings.ALLOWED_HOSTS else [W020]