diff --git a/.github/workflows/contributing.yaml b/.github/workflows/contributing.yaml new file mode 100644 index 000000000..1ec52d6f2 --- /dev/null +++ b/.github/workflows/contributing.yaml @@ -0,0 +1,8 @@ +name: Contributing + +on: + pull_request: + +jobs: + validate-existing-contributors: + uses: ocadotechnology/codeforlife-workspace/.github/workflows/validate-existing-contributors.yaml@main diff --git a/deploy/middleware/security.py b/deploy/middleware/security.py index d1ee5e39c..3708f414f 100644 --- a/deploy/middleware/security.py +++ b/deploy/middleware/security.py @@ -4,19 +4,19 @@ class CustomSecurityMiddleware(SecurityMiddleware): """ Extends Django's Security Middleware. - See https://docs.djangoproject.com/en/2.2/_modules/django/middleware/security/ for - the source code, as well as https://docs.djangoproject.com/en/2.2/ref/middleware/#module-django.middleware.security + See https://docs.djangoproject.com/en/3.2/_modules/django/middleware/security/ for + the source code, as well as https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security for docs on security middleware. """ def process_response(self, request, response): """ Extends the original security middleware to ensure the X-XSS-Protection header - is set to 0. + is set to 1. """ super().process_response(request, response) if self.xss_filter: - response["X-XSS-Protection"] = "0" + response["X-XSS-Protection"] = "1" return response diff --git a/example_project/portal_test_settings.py b/example_project/portal_test_settings.py index 33d8fc03b..4b02973a2 100644 --- a/example_project/portal_test_settings.py +++ b/example_project/portal_test_settings.py @@ -185,6 +185,7 @@ SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin" +CSRF_USE_SESSIONS = False # Setting to False to allow CSRF token to work in Cypress RECAPTCHA_DOMAIN = "www.recaptcha.net" AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"] USE_TZ = True diff --git a/example_project/settings.py b/example_project/settings.py index ff6f7f888..1b037b461 100644 --- a/example_project/settings.py +++ b/example_project/settings.py @@ -148,6 +148,7 @@ SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin" +CSRF_USE_SESSIONS = True RECAPTCHA_DOMAIN = "www.recaptcha.net" AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"] USE_TZ = True diff --git a/portal/__init__.py b/portal/__init__.py index e3a5b67d6..faa00b292 100644 --- a/portal/__init__.py +++ b/portal/__init__.py @@ -1 +1 @@ -__version__ = "6.39.9" +__version__ = "6.39.10" diff --git a/portal/tests/test_middleware.py b/portal/tests/test_middleware.py index c27441959..171401937 100644 --- a/portal/tests/test_middleware.py +++ b/portal/tests/test_middleware.py @@ -118,7 +118,7 @@ def test_security_headers(self): assert response.headers["cache-control"] == "private" assert response.headers["x-content-type-options"] == "nosniff" assert response.headers["x-frame-options"] == "DENY" - assert response.headers["x-xss-protection"] == "0" + assert response.headers["x-xss-protection"] == "1" class TestSessionTimeoutMiddleware(TestCase): diff --git a/run_testserver b/run_testserver index 75e9b4e49..d786ef2bd 100755 --- a/run_testserver +++ b/run_testserver @@ -3,4 +3,4 @@ set -e cd "${BASH_SOURCE%/*}" ./example_project/manage.py collectstatic --noinput --clear -./example_project/manage.py testserver portal/tests/cypress/fixtures/teachersToBeDeleted.json +./example_project/manage.py testserver portal/tests/cypress/fixtures/teachersToBeDeleted.json --settings="portal_test_settings"