Skip to content

Commit

Permalink
Add Permissions-Policy and Content-Security-Policy headers (#226)
Browse files Browse the repository at this point in the history
Co-authored-by: Thibaud Colas <[email protected]>
  • Loading branch information
laymonage and thibaudcolas authored Nov 15, 2023
1 parent 38fd75d commit d501f32
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 3 deletions.
49 changes: 49 additions & 0 deletions apps/guide/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@

MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django_permissions_policy.PermissionsPolicyMiddleware",
# Whitenoise middleware is used to server static files (CSS, JS, etc.).
# According to the official documentation it should be listed underneath
# SecurityMiddleware.
Expand Down Expand Up @@ -183,6 +184,54 @@
]


# Security

# Configure the `Permissions-Policy` header
# https://github.com/adamchainz/django-permissions-policy
PERMISSIONS_POLICY = {
"accelerometer": [],
"ambient-light-sensor": [],
"autoplay": [],
"camera": [],
"display-capture": [],
"document-domain": [],
"encrypted-media": [],
"fullscreen": [],
"geolocation": [],
"gyroscope": [],
"interest-cohort": [],
"magnetometer": [],
"microphone": [],
"midi": [],
"payment": [],
"usb": [],
}

# Content Security policy settings
# http://django-csp.readthedocs.io/en/latest/configuration.html
if "CSP_DEFAULT_SRC" in env:
MIDDLEWARE.append("csp.middleware.CSPMiddleware")

# The “special” source values of
# 'self', 'unsafe-inline', 'unsafe-eval', and 'none' must be quoted!
# e.g.: CSP_DEFAULT_SRC = "'self'" Without quotes they will not work as intended.

CSP_DEFAULT_SRC = env.get("CSP_DEFAULT_SRC").split(",")
if "CSP_SCRIPT_SRC" in env:
CSP_SCRIPT_SRC = env.get("CSP_SCRIPT_SRC").split(",")
if "CSP_STYLE_SRC" in env:
CSP_STYLE_SRC = env.get("CSP_STYLE_SRC").split(",")
if "CSP_IMG_SRC" in env:
CSP_IMG_SRC = env.get("CSP_IMG_SRC").split(",")
if "CSP_CONNECT_SRC" in env:
CSP_CONNECT_SRC = env.get("CSP_CONNECT_SRC").split(",")
if "CSP_FONT_SRC" in env:
CSP_FONT_SRC = env.get("CSP_FONT_SRC").split(",")
if "CSP_BASE_URI" in env:
CSP_BASE_URI = env.get("CSP_BASE_URI").split(",")
if "CSP_OBJECT_SRC" in env:
CSP_OBJECT_SRC = env.get("CSP_OBJECT_SRC").split(",")

# Internationalization
# https://docs.djangoproject.com/en/4.0/topics/i18n/

Expand Down
36 changes: 34 additions & 2 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ django-storages = ">=1.14,<1.15"
whitenoise = ">=6.6,<6.7"
psycopg2 = "2.9.9"
wagtail-localize = "1.7rc1"
django-permissions-policy = "^4.13.0"
django-csp = "^3.7"

[tool.poetry.group.dev.dependencies]
ruff = "^0.1.4"
Expand Down
2 changes: 1 addition & 1 deletion setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ omit =
*migrations*

[coverage:report]
show_missing = True
show_missing = True

0 comments on commit d501f32

Please sign in to comment.