From 922f21aff0b23896b99501b8beb0e0ff589cbd05 Mon Sep 17 00:00:00 2001 From: Caitlin Barnard Date: Fri, 4 Oct 2024 13:23:33 +0100 Subject: [PATCH] FFT-71 Enable csp headers for logging into sentry --- .env.ci | 3 ++- .env.example | 3 +++ config/settings/base.py | 16 ++++++++++++++++ poetry.lock | 20 +++++++++++++++++++- pyproject.toml | 1 + 5 files changed, 41 insertions(+), 2 deletions(-) diff --git a/.env.ci b/.env.ci index 9fbfc44f..29f6fe1a 100644 --- a/.env.ci +++ b/.env.ci @@ -8,4 +8,5 @@ AUTHBROKER_CLIENT_ID= AUTHBROKER_CLIENT_SECRET= AUTHBROKER_URL= SENTRY_ENVIRONMENT=ci -SENTRY_DSN= \ No newline at end of file +SENTRY_DSN= +CSP_REPORT_URI=" " \ No newline at end of file diff --git a/.env.example b/.env.example index 0d5cf9b1..d0afcc56 100644 --- a/.env.example +++ b/.env.example @@ -26,6 +26,9 @@ SENTRY_ENVIRONMENT= SENTRY_KEY= SENTRY_PROJECT= +# CSP headers +CSP_REPORT_URI= + # Vite VITE_DEV=True diff --git a/config/settings/base.py b/config/settings/base.py index 2fa2e73a..f92bdb4a 100644 --- a/config/settings/base.py +++ b/config/settings/base.py @@ -281,6 +281,7 @@ def FILTERS_VERBOSE_LOOKUPS(): "core.no_cache_middleware.NoCacheMiddleware", "simple_history.middleware.HistoryRequestMiddleware", "axes.middleware.AxesMiddleware", + "csp.middleware.CSPMiddleware", ] AUTHENTICATION_BACKENDS = [ @@ -409,3 +410,18 @@ def FILTERS_VERBOSE_LOOKUPS(): traces_sample_rate=env.float("SENTRY_TRACES_SAMPLE_RATE", 0.0), send_default_pii=True, ) + + +# Content Security Policy header settings +CSP_DEFAULT_SRC = ("'none'",) +CSP_SCRIPT_SRC = ("'none'",) +CSP_SCRIPT_SRC_ATTR = ("'none'",) +CSP_SCRIPT_SRC_ELEM = ("'none'",) +CSP_IMG_SRC = ("'none'",) +CSP_MEDIA_SRC = ("'none'",) +CSP_FRAME_SRC = ("'none'",) +CSP_FONT_SRC = ("'none'",) +CSP_CONNECT_SRC = ("'none'",) + +CSP_REPORT_ONLY = True +CSP_REPORT_URI = env("CSP_REPORT_URI", default=None) diff --git a/poetry.lock b/poetry.lock index e80ddcb2..83ed5310 100644 --- a/poetry.lock +++ b/poetry.lock @@ -807,6 +807,24 @@ boto3 = ">=1.17.89" django = ">=4.2.9,<4.3.0" django-storages = ">=1.11.1" +[[package]] +name = "django-csp" +version = "3.8" +description = "Django Content Security Policy support." +optional = false +python-versions = "*" +files = [ + {file = "django_csp-3.8-py3-none-any.whl", hash = "sha256:19b2978b03fcd73517d7d67acbc04fbbcaec0facc3e83baa502965892d1e0719"}, + {file = "django_csp-3.8.tar.gz", hash = "sha256:ef0f1a9f7d8da68ae6e169c02e9ac661c0ecf04db70e0d1d85640512a68471c0"}, +] + +[package.dependencies] +Django = ">=3.2" + +[package.extras] +jinja2 = ["jinja2 (>=2.9.6)"] +tests = ["jinja2 (>=2.9.6)", "pytest", "pytest-cov", "pytest-django", "pytest-ruff"] + [[package]] name = "django-environ" version = "0.11.2" @@ -2914,4 +2932,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"] [metadata] lock-version = "2.0" python-versions = "^3.12" -content-hash = "feaef5b68afa6e91a5348333ffbfacafe3156cedf3280297a626c7839e308870" +content-hash = "1629136e0bc04c33a447c8e09f3ee7fa2cacb9622b7d52c1de60782ca85c4fd5" diff --git a/pyproject.toml b/pyproject.toml index d88b5e16..fe5ac0f3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,6 +44,7 @@ redis = "^5.0.3" django-import-export = "^3.3.07" dbt-copilot-python = "^0.2.1" django-log-formatter-asim = "^0.0.4" +django-csp = "^3.8" [tool.poetry.group.prod] optional = true