🔧[#42] add HSTS & CSP settings

Author: Coperh

open_api_framework/conf/base.py

@@ -124,6 +124,7 @@
     # External applications.
     "axes",
     "django_filters",
+    "csp",
     "corsheaders",
     "vng_api_common",
     "notifications_api_common",
@@ -162,6 +163,7 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "axes.middleware.AxesMiddleware",
+    "csp.contrib.rate_limiting.RateLimitedCSPMiddleware",
 ]
 
 ROOT_URLCONF = f"{PROJECT_DIRNAME}.urls"
@@ -421,6 +423,9 @@
 CSRF_COOKIE_SECURE = IS_HTTPS
 CSRF_COOKIE_SAMESITE = config("CSRF_COOKIE_SAMESITE", "Strict")
 
+if IS_HTTPS:
+    SECURE_HSTS_SECONDS = 31536000
+
 X_FRAME_OPTIONS = "DENY"
 
 #
@@ -672,3 +677,64 @@ def init_sentry(before_send: Callable | None = None):
 LOG_OUTGOING_REQUESTS_MAX_AGE = config(
     "LOG_OUTGOING_REQUESTS_MAX_AGE", default=7
 )  # number of days
+
+
+#
+# Django CSP settings
+#
+# explanation of directives: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# and how to specify them: https://django-csp.readthedocs.io/en/latest/configuration.html
+#
+# NOTE: make sure values are a tuple or list, and to quote special values like 'self'
+
+# ideally we'd use BASE_URI but it'd have to be lazy or cause issues
+CSP_DEFAULT_SRC = [
+    "'self'",
+] + config("CSP_EXTRA_DEFAULT_SRC", default=[], split=True)
+
+CSP_REPORT_PERCENTAGE = config("CSP_REPORT_PERCENTAGE", 1.0)  # float between 0 and 1
+
+CSP_FORM_ACTION = (
+    config(
+        "CSP_FORM_ACTION",
+        default=["\"'self'\""]
+        + config("CSP_EXTRA_FORM_ACTION", default=[], split=True),
+        split=True,
+    )
+    + CORS_ALLOWED_ORIGINS
+)
+
+CSP_IMG_SRC = (
+    CSP_DEFAULT_SRC
+    + config("CSP_EXTRA_IMG_SRC", default=[], split=True)
+)
+
+# affects <object> and <embed> tags, block everything by default but allow deploy-time
+# overrides.
+CSP_OBJECT_SRC = config("CSP_OBJECT_SRC", default=["\"'none'\""], split=True)
+
+# we must include this explicitly, otherwise the style-src only includes the nonce because
+# of CSP_INCLUDE_NONCE_IN
+CSP_STYLE_SRC = CSP_DEFAULT_SRC
+CSP_SCRIPT_SRC = CSP_DEFAULT_SRC
+
+# firefox does not get the nonce from default-src, see
+# https://stackoverflow.com/a/63376012
+CSP_INCLUDE_NONCE_IN = ["style-src", "script-src"]
+
+# directives that don't fallback to default-src
+CSP_BASE_URI = ["'self'"]
+
+# Frame directives do not fall back to default-src
+CSP_FRAME_ANCESTORS = ["'none'"]  # equivalent to X-Frame-Options: deny
+CSP_FRAME_SRC = ["'self'"]
+# CSP_NAVIGATE_TO = ["'self'"]  # this will break all outgoing links etc  # too much & tricky, see note on MDN
+# CSP_SANDBOX # too much
+
+CSP_UPGRADE_INSECURE_REQUESTS = False  # TODO enable on production?
+
+CSP_EXCLUDE_URL_PREFIXES = (
+    # ReDoc/Swagger pull in external sources, so don't enforce CSP on API endpoints/documentation.
+    "/api/",
+    "/admin/",
+)

pyproject.toml

@@ -39,6 +39,7 @@ dependencies = [
     "djangorestframework-gis>=1.0",
     "django-filter>=24.2",
     "drf-spectacular>=0.27.2",
+    "django-csp>=3.8",
     "djangorestframework-inclusions>=1.2.0",
     "commonground-api-common>=1.12.1",
     "mozilla-django-oidc-db>=0.19.0",