Merge pull request #230 from maykinmedia/dep/oaf-8.0.0

bart-maykin · web-flow · commit 8a0b06c83929 · 2024-08-28T10:04:22.000+02:00
⬆️ update open-api-framework to 8.0.0
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,23 @@
 Change history
 ==============
 
+
+2.2.0
+=====
+
+**New features**
+
+* updated open-api-framework to 0.8.0, which includes adding CSRF, CSP and HSTS settings (#438).
+  All new environment variables are added to the `documentation <https://objects-and-objecttypes-api.readthedocs.io/en/latest/installation/config.html>`_
+
+.. warning::
+
+    ``SECURE_HSTS_SECONDS`` has been added with a default of 31536000 seconds, ensure that
+    before upgrading to this version of open-api-framework, your entire application is served
+    over HTTPS, otherwise this setting can break parts of your application (see https://docs.djangoproject.com/en/4.2/ref/middleware/#http-strict-transport-security)
+
+
+
 2.1.0
 =====
 
diff --git a/docs/installation/config.rst b/docs/installation/config.rst
@@ -19,6 +19,9 @@ Required
 
 * ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool <https://www.miniwebtool.com/django-secret-key-generator>`_.
 * ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``.
+* ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
+* ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
+* ``EMAIL_HOST``: hostname for the outgoing e-mail server (this **MUST** be set when using Docker). Defaults to: ``localhost``.
 
 
 Database
@@ -49,16 +52,25 @@ Elastic APM
 * ``ELASTIC_APM_TRANSACTION_SAMPLE_RATE``: By default, the agent will sample every transaction (e.g. request to your service). To reduce overhead and storage requirements, set the sample rate to a value between 0.0 and 1.0. Defaults to: ``0.1``.
 
 
+Content Security Policy
+-----------------------
+
+* ``CSP_EXTRA_DEFAULT_SRC``: Extra default source URLs for CSP other than ``self``. Used for ``img-src``, ``style-src`` and ``script-src``. Defaults to: ``[]``.
+* ``CSP_REPORT_URI``: URI of the``report-uri`` directive. Defaults to: ``None``.
+* ``CSP_REPORT_PERCENTAGE``: Percentage of requests that get the ``report-uri`` directive. Defaults to: ``0``.
+* ``CSP_EXTRA_FORM_ACTION``: Add additional ``form-action`` source to the default . Defaults to: ``[]``.
+* ``CSP_FORM_ACTION``: Override the default ``form-action`` source. Defaults to: ``['"\'self\'"']``.
+* ``CSP_EXTRA_IMG_SRC``: Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``. Defaults to: ``[]``.
+* ``CSP_OBJECT_SRC``: ``object-src`` urls. Defaults to: ``['"\'none\'"']``.
+
+
 Optional
 --------
 
 * ``SITE_ID``: The database ID of the site object. You usually won't have to touch this. Defaults to: ``1``.
 * ``DEBUG``: Only set this to ``True`` on a local development environment. Various other security settings are derived from this setting!. Defaults to: ``False``.
 * ``USE_X_FORWARDED_HOST``: whether to grab the domain/host from the X-Forwarded-Host header or not. This header is typically set by reverse proxies (such as nginx, traefik, Apache...). Note: this is a header that can be spoofed and you need to ensure you control it before enabling this. Defaults to: ``False``.
 * ``IS_HTTPS``: Used to construct absolute URLs and controls a variety of security settings. Defaults to the inverse of ``DEBUG``.
-* ``CACHE_DEFAULT``: redis cache address for the default cache. Defaults to: ``localhost:6379/0``.
-* ``CACHE_AXES``: redis cache address for the brute force login protection cache. Defaults to: ``localhost:6379/0``.
-* ``EMAIL_HOST``: hostname for the outgoing e-mail server. Defaults to: ``localhost``.
 * ``EMAIL_PORT``: port number of the outgoing e-mail server. Note that if you're on Google Cloud, sending e-mail via port 25 is completely blocked and you should use 487 for TLS. Defaults to: ``25``.
 * ``EMAIL_HOST_USER``: username to connect to the mail server. Defaults to: ``(empty string)``.
 * ``EMAIL_HOST_PASSWORD``: password to connect to the mail server. Defaults to: ``(empty string)``.
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -76,6 +76,7 @@ django==4.2.15
     #   django-appconf
     #   django-axes
     #   django-cors-headers
+    #   django-csp
     #   django-filter
     #   django-formtools
     #   django-jsonform
@@ -111,6 +112,8 @@ django-axes==6.5.1
     # via open-api-framework
 django-cors-headers==4.4.0
     # via open-api-framework
+django-csp==3.8
+    # via open-api-framework
 django-filter==24.2
     # via
     #   commonground-api-common
@@ -228,7 +231,7 @@ mozilla-django-oidc-db==0.19.0
     # via open-api-framework
 notifications-api-common==0.2.2
     # via commonground-api-common
-open-api-framework==0.7.1
+open-api-framework==0.8.0
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl
diff --git a/requirements/ci.txt b/requirements/ci.txt
@@ -153,6 +153,7 @@ django==4.2.15
     #   django-appconf
     #   django-axes
     #   django-cors-headers
+    #   django-csp
     #   django-filter
     #   django-formtools
     #   django-jsonform
@@ -200,6 +201,11 @@ django-cors-headers==4.4.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   open-api-framework
+django-csp==3.8
+    # via
+    #   -c requirements/base.txt
+    #   -r requirements/base.txt
+    #   open-api-framework
 django-filter==24.2
     # via
     #   -c requirements/base.txt
@@ -487,7 +493,7 @@ notifications-api-common==0.2.2
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   commonground-api-common
-open-api-framework==0.7.1
+open-api-framework==0.8.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -181,6 +181,7 @@ django==4.2.15
     #   django-appconf
     #   django-axes
     #   django-cors-headers
+    #   django-csp
     #   django-debug-toolbar
     #   django-extensions
     #   django-filter
@@ -230,6 +231,11 @@ django-cors-headers==4.4.0
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   open-api-framework
+django-csp==3.8
+    # via
+    #   -c requirements/ci.txt
+    #   -r requirements/ci.txt
+    #   open-api-framework
 django-debug-toolbar==4.4.6
     # via -r requirements/dev.in
 django-extensions==3.2.3
@@ -556,7 +562,7 @@ notifications-api-common==0.2.2
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   commonground-api-common
-open-api-framework==0.7.1
+open-api-framework==0.8.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
