From facb212d7858c5c27b0866521f2dbb6da85e7fe9 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 3 Jan 2024 15:51:37 +0000 Subject: [PATCH 1/2] fix: Update HTTP headers and CSRF sessions usage --- deploy/middleware/security.py | 8 ++++---- example_project/portal_test_settings.py | 1 + example_project/settings.py | 1 + portal/tests/test_middleware.py | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/deploy/middleware/security.py b/deploy/middleware/security.py index d1ee5e39c..3708f414f 100644 --- a/deploy/middleware/security.py +++ b/deploy/middleware/security.py @@ -4,19 +4,19 @@ class CustomSecurityMiddleware(SecurityMiddleware): """ Extends Django's Security Middleware. - See https://docs.djangoproject.com/en/2.2/_modules/django/middleware/security/ for - the source code, as well as https://docs.djangoproject.com/en/2.2/ref/middleware/#module-django.middleware.security + See https://docs.djangoproject.com/en/3.2/_modules/django/middleware/security/ for + the source code, as well as https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security for docs on security middleware. """ def process_response(self, request, response): """ Extends the original security middleware to ensure the X-XSS-Protection header - is set to 0. + is set to 1. """ super().process_response(request, response) if self.xss_filter: - response["X-XSS-Protection"] = "0" + response["X-XSS-Protection"] = "1" return response diff --git a/example_project/portal_test_settings.py b/example_project/portal_test_settings.py index 33d8fc03b..15237a372 100644 --- a/example_project/portal_test_settings.py +++ b/example_project/portal_test_settings.py @@ -185,6 +185,7 @@ SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin" +CSRF_USE_SESSIONS = True RECAPTCHA_DOMAIN = "www.recaptcha.net" AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"] USE_TZ = True diff --git a/example_project/settings.py b/example_project/settings.py index ff6f7f888..1b037b461 100644 --- a/example_project/settings.py +++ b/example_project/settings.py @@ -148,6 +148,7 @@ SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin" +CSRF_USE_SESSIONS = True RECAPTCHA_DOMAIN = "www.recaptcha.net" AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"] USE_TZ = True diff --git a/portal/tests/test_middleware.py b/portal/tests/test_middleware.py index c27441959..171401937 100644 --- a/portal/tests/test_middleware.py +++ b/portal/tests/test_middleware.py @@ -118,7 +118,7 @@ def test_security_headers(self): assert response.headers["cache-control"] == "private" assert response.headers["x-content-type-options"] == "nosniff" assert response.headers["x-frame-options"] == "DENY" - assert response.headers["x-xss-protection"] == "0" + assert response.headers["x-xss-protection"] == "1" class TestSessionTimeoutMiddleware(TestCase): From 2e1c6412be2fde44db982a83d652abcbcd715f61 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Tue, 9 Jan 2024 17:02:22 +0000 Subject: [PATCH 2/2] Set setting to False in test settings --- example_project/portal_test_settings.py | 2 +- run_testserver | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/example_project/portal_test_settings.py b/example_project/portal_test_settings.py index 15237a372..4b02973a2 100644 --- a/example_project/portal_test_settings.py +++ b/example_project/portal_test_settings.py @@ -185,7 +185,7 @@ SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin" -CSRF_USE_SESSIONS = True +CSRF_USE_SESSIONS = False # Setting to False to allow CSRF token to work in Cypress RECAPTCHA_DOMAIN = "www.recaptcha.net" AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"] USE_TZ = True diff --git a/run_testserver b/run_testserver index 75e9b4e49..d786ef2bd 100755 --- a/run_testserver +++ b/run_testserver @@ -3,4 +3,4 @@ set -e cd "${BASH_SOURCE%/*}" ./example_project/manage.py collectstatic --noinput --clear -./example_project/manage.py testserver portal/tests/cypress/fixtures/teachersToBeDeleted.json +./example_project/manage.py testserver portal/tests/cypress/fixtures/teachersToBeDeleted.json --settings="portal_test_settings"