Scribd Logo
Upload

Welcome to Scribd!

  • Browser Security Headers

    Uploaded by

    Kashif Aziz
    6 views2 pages
    This document provides recommendations for adding security headers to Django projects to protect against common vulnerabilities like cross-site scripting and content sniffing attacks. It lists specific middleware and settings like SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, and X_FRAME_OPTIONS that enforce headers like HTTP Strict Transport Security, X-Content-Type-Options, and X-Frame-Options. Examples are given for common values used in production Django apps along with resources for further information.

    Original Description:

    Browsers security headers implementation

    Copyright

    © © All Rights Reserved

    Available Formats

    RTF, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides recommendations for adding security headers to Django projects to protect against common vulnerabilities like cross-site scripting and content sniffing attacks. It lists specific middleware and settings like SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, and X_FRAME_OPTIONS that enforce headers like HTTP Strict Transport Security, X-Content-Type-Options, and X-Frame-Options. Examples are given for common values used in production Django apps along with resources for further information.

    Copyright:

    © All Rights Reserved
    Download as RTF, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views2 pages

    Browser Security Headers

    Uploaded by

    Kashif Aziz
    This document provides recommendations for adding security headers to Django projects to protect against common vulnerabilities like cross-site scripting and content sniffing attacks. It lists specific middleware and settings like SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, and X_FRAME_OPTIONS that enforce headers like HTTP Strict Transport Security, X-Content-Type-Options, and X-Frame-Options. Examples are given for common values used in production Django apps along with resources for further information.

    Copyright:

    © All Rights Reserved
    Download as RTF, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Browser Security Headers

    In settings.py:

    Add middleware:
    django.middleware.security.SecurityMiddleware
    django.middleware.clickjacking.XFrameOptionsMiddleware # as high as
    possible in middleware section

    SECURE_BROWSER_XSS_FILTER = True

    SECURE_HSTS_SECONDS = 60 # in seconds. After testing this can be set


    to a higher number, say 1 year, after testing

    SECURE_HSTS_INCLUDE_SUBDOMAINS    = True

    SECURE_HSTS_PRELOAD = True

    SECURE_CONTENT_TYPE_NOSNIFF = True

    X_FRAME_OPTIONS = 'DENY'

    SECURE_REFERRER_POLICY = same-origin

    ====================================================   
    Used in Jubilee
    ==

                    SECURE_BROWSER_XSS_FILTER = True        # XSS protection for forms


    and links
                    SECURE_CONTENT_TYPE_NOSNIFF = True

                    SECURE_SSL_HOST = True
                    # SECURE_SSL_REDIRECT = True    # redirect all http requests to https

                    # HSTS setting also done in Azure App service: Settings > Custom Domains
    > HTTPS Only
                    # SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO',
    'https')
                    SECURE_HSTS_SECONDS = 2592000    # set to 1 week
                    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
                    SECURE_HSTS_PRELOAD = True
            
                    SESSION_COOKIE_SECURE = True
                    CSRF_COOKIE_SECURE = True
                    X_FRAME_OPTIONS = 'DENY'
                    SECURE_REFERRER_POLICY = 'same-origin'
            
                    CSP_DEFAULT_SRC = ("'self'",
    "https://illustrationstorage1.blob.core.windows.net/")
                    CSP_FONT_SRC = ("'self'",
    "https://illustrationstorage1.blob.core.windows.net/", "https://use.fontawesome.com/")

                    PERMISSIONS_POLICY = {
                            "accelerometer": [],
                            "gyroscope": [],
                            "magnetometer": [],
                            "microphone": [],
                            "usb": [],
                    }               

    ====================================================   

    Resources:
    https://adamj.eu/tech/2019/04/10/how-to-score-a+-for-security-headers-on-your-django-
    website/

    https://docs.djangoproject.com/en/dev/ref/middleware/
    #django.middleware.security.SecurityMiddleware

    You might also like