diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 883b9c47..72e47b3e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,23 @@ Change history ============== + +2.2.0 +===== + +**New features** + +* updated open-api-framework to 0.8.0, which includes adding CSRF, CSP and HSTS settings (#438). + All new environment variables are added to the `documentation `_ + +.. warning:: + + ``SECURE_HSTS_SECONDS`` has been added with a default of 31536000 seconds, ensure that + before upgrading to this version of open-api-framework, your entire application is served + over HTTPS, otherwise this setting can break parts of your application (see https://docs.djangoproject.com/en/4.2/ref/middleware/#http-strict-transport-security) + + + 2.1.0 ===== diff --git a/docs/installation/config.rst b/docs/installation/config.rst index 2c7b930a..f0566908 100644 --- a/docs/installation/config.rst +++ b/docs/installation/config.rst @@ -19,6 +19,9 @@ Required * ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool `_. * ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``. +* ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``. +* ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``. +* ``EMAIL_HOST``: hostname for the outgoing e-mail server (this **MUST** be set when using Docker). Defaults to: ``localhost``. Database @@ -49,6 +52,18 @@ Elastic APM * ``ELASTIC_APM_TRANSACTION_SAMPLE_RATE``: By default, the agent will sample every transaction (e.g. request to your service). To reduce overhead and storage requirements, set the sample rate to a value between 0.0 and 1.0. Defaults to: ``0.1``. +Content Security Policy +----------------------- + +* ``CSP_EXTRA_DEFAULT_SRC``: Extra default source URLs for CSP other than ``self``. Used for ``img-src``, ``style-src`` and ``script-src``. Defaults to: ``[]``. +* ``CSP_REPORT_URI``: URI of the``report-uri`` directive. Defaults to: ``None``. +* ``CSP_REPORT_PERCENTAGE``: Percentage of requests that get the ``report-uri`` directive. Defaults to: ``0``. +* ``CSP_EXTRA_FORM_ACTION``: Add additional ``form-action`` source to the default . Defaults to: ``[]``. +* ``CSP_FORM_ACTION``: Override the default ``form-action`` source. Defaults to: ``['"\'self\'"']``. +* ``CSP_EXTRA_IMG_SRC``: Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``. Defaults to: ``[]``. +* ``CSP_OBJECT_SRC``: ``object-src`` urls. Defaults to: ``['"\'none\'"']``. + + Optional -------- @@ -56,9 +71,6 @@ Optional * ``DEBUG``: Only set this to ``True`` on a local development environment. Various other security settings are derived from this setting!. Defaults to: ``False``. * ``USE_X_FORWARDED_HOST``: whether to grab the domain/host from the X-Forwarded-Host header or not. This header is typically set by reverse proxies (such as nginx, traefik, Apache...). Note: this is a header that can be spoofed and you need to ensure you control it before enabling this. Defaults to: ``False``. * ``IS_HTTPS``: Used to construct absolute URLs and controls a variety of security settings. Defaults to the inverse of ``DEBUG``. -* ``CACHE_DEFAULT``: redis cache address for the default cache. Defaults to: ``localhost:6379/0``. -* ``CACHE_AXES``: redis cache address for the brute force login protection cache. Defaults to: ``localhost:6379/0``. -* ``EMAIL_HOST``: hostname for the outgoing e-mail server. Defaults to: ``localhost``. * ``EMAIL_PORT``: port number of the outgoing e-mail server. Note that if you're on Google Cloud, sending e-mail via port 25 is completely blocked and you should use 487 for TLS. Defaults to: ``25``. * ``EMAIL_HOST_USER``: username to connect to the mail server. Defaults to: ``(empty string)``. * ``EMAIL_HOST_PASSWORD``: password to connect to the mail server. Defaults to: ``(empty string)``. diff --git a/requirements/base.txt b/requirements/base.txt index a5283be5..69045c2f 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -76,6 +76,7 @@ django==4.2.15 # django-appconf # django-axes # django-cors-headers + # django-csp # django-filter # django-formtools # django-jsonform @@ -111,6 +112,8 @@ django-axes==6.5.1 # via open-api-framework django-cors-headers==4.4.0 # via open-api-framework +django-csp==3.8 + # via open-api-framework django-filter==24.2 # via # commonground-api-common @@ -228,7 +231,7 @@ mozilla-django-oidc-db==0.19.0 # via open-api-framework notifications-api-common==0.2.2 # via commonground-api-common -open-api-framework==0.7.1 +open-api-framework==0.8.0 # via -r requirements/base.in orderedmultidict==1.0.1 # via furl diff --git a/requirements/ci.txt b/requirements/ci.txt index 44a1087a..1bfc0503 100644 --- a/requirements/ci.txt +++ b/requirements/ci.txt @@ -153,6 +153,7 @@ django==4.2.15 # django-appconf # django-axes # django-cors-headers + # django-csp # django-filter # django-formtools # django-jsonform @@ -200,6 +201,11 @@ django-cors-headers==4.4.0 # -c requirements/base.txt # -r requirements/base.txt # open-api-framework +django-csp==3.8 + # via + # -c requirements/base.txt + # -r requirements/base.txt + # open-api-framework django-filter==24.2 # via # -c requirements/base.txt @@ -487,7 +493,7 @@ notifications-api-common==0.2.2 # -c requirements/base.txt # -r requirements/base.txt # commonground-api-common -open-api-framework==0.7.1 +open-api-framework==0.8.0 # via # -c requirements/base.txt # -r requirements/base.txt diff --git a/requirements/dev.txt b/requirements/dev.txt index ab1fe031..6384845e 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -181,6 +181,7 @@ django==4.2.15 # django-appconf # django-axes # django-cors-headers + # django-csp # django-debug-toolbar # django-extensions # django-filter @@ -230,6 +231,11 @@ django-cors-headers==4.4.0 # -c requirements/ci.txt # -r requirements/ci.txt # open-api-framework +django-csp==3.8 + # via + # -c requirements/ci.txt + # -r requirements/ci.txt + # open-api-framework django-debug-toolbar==4.4.6 # via -r requirements/dev.in django-extensions==3.2.3 @@ -556,7 +562,7 @@ notifications-api-common==0.2.2 # -c requirements/ci.txt # -r requirements/ci.txt # commonground-api-common -open-api-framework==0.7.1 +open-api-framework==0.8.0 # via # -c requirements/ci.txt # -r requirements/ci.txt