🔧[#42] add HSTS & CSP settings

Author: Coperh

open_api_framework/conf/base.py

@@ -8,6 +8,7 @@
 
 import sentry_sdk
 from corsheaders.defaults import default_headers as default_cors_headers
+from csp.constants import SELF
 from log_outgoing_requests.formatters import HttpFormatter
 from notifications_api_common.settings import *  # noqa
 
@@ -124,6 +125,7 @@
     # External applications.
     "axes",
     "django_filters",
+    "csp",
     "corsheaders",
     "vng_api_common",
     "notifications_api_common",
@@ -162,6 +164,7 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "axes.middleware.AxesMiddleware",
+    "csp.contrib.rate_limiting.RateLimitedCSPMiddleware",
 ]
 
 ROOT_URLCONF = f"{PROJECT_DIRNAME}.urls"
@@ -421,6 +424,9 @@
 CSRF_COOKIE_SECURE = IS_HTTPS
 CSRF_COOKIE_SAMESITE = config("CSRF_COOKIE_SAMESITE", "Strict")
 
+if IS_HTTPS:
+    SECURE_HSTS_SECONDS = 31536000
+
 X_FRAME_OPTIONS = "DENY"
 
 #
@@ -672,3 +678,27 @@ def init_sentry(before_send: Callable | None = None):
 LOG_OUTGOING_REQUESTS_MAX_AGE = config(
     "LOG_OUTGOING_REQUESTS_MAX_AGE", default=7
 )  # number of days
+
+
+#
+# Django CSP settings
+#
+
+CSP_DEFAULT_SRC = [
+    SELF,
+] + config("CSP_EXTRA_DEFAULT_SRC", default=[], split=True)
+
+
+CONTENT_SECURITY_POLICY = {
+    "EXCLUDE_URL_PREFIXES": ["/api/", "/admin"],
+    "DIRECTIVES": {
+        "base-uri": SELF,
+        "default-src": CSP_DEFAULT_SRC,
+        "style-src": CSP_DEFAULT_SRC,
+        "script-src": CSP_DEFAULT_SRC,
+        "img-src": CSP_DEFAULT_SRC,
+        "frame-ancestors": None,
+        "frame-src": [SELF],
+        "upgrade-insecure-requests": False,
+    },
+}

pyproject.toml

@@ -39,6 +39,7 @@ dependencies = [
     "djangorestframework-gis>=1.0",
     "django-filter>=24.2",
     "drf-spectacular>=0.27.2",
+    "django-csp>=3.8",
     "djangorestframework-inclusions>=1.2.0",
     "commonground-api-common>=1.12.1",
     "mozilla-django-oidc-db>=0.19.0",