Quick start¶
Default configuration¶
To apply default security headers to all responses:
Installation
From
pippip install django-security-headers
To access the
scanfunction fromhttpobs, add the following to your project’s dev requirements-e git+https://github.com/jsumnerPhD/http-observatory#egg=httpobs
Add the
csp,security_headers, andsamesitemiddlewaresMIDDLEWARES = [ "django.middleware.security.SecurityMiddleware", "csp.middleware.CSPMiddleware", "security_headers.middleware.extra_security_headers", "django_cookies_samesite.middleware.CookiesSameSite", ... ]
Add the default
cspandsecurity_headerssettings by importing the defaults to your localsettings.pyfrom security_headers.defaults import *
(Optional) If you included step 1b, you can add a scan link to
urls.py. Accessing this link will run a scan againsthttps://127.0.0.1:8000/<path>where the path is determined from reversingurl_name. Note that the sslserver must be running in parallel to the request.from security_headers.views import scan_url if settings.DEBUG: urlpatterns += [ url( r"^security/(?P<url_name>[\w-]+)/", scan_url, name="scan", ), ]
Optional configuration¶
To permit framing from whitelisted domains, add security_headers to your INSTALLED_APPS.
INSTALLED_APPS = [
...
"security_headers",
...
]
This will expose a simple admin interface for specifying safe domains. To access template tags provided by django-csp, install csp as well
INSTALLED_APPS = [
...
"security_headers",
"csp",
...
]
To use the sslserver
INSTALLED_APPS = [
...
"security_headers",
"csp",
"sslserver",
...
]
Development settings¶
During development using http localhost server, you will need to overwrite some default settings when not using the ssl server. At the very end of your settings.py file, include
if "runsslserver" in sys.argv:
SSL_CONTEXT = True
else:
SSL_CONTEXT = False
CSRF_COOKIE_SECURE = SSL_CONTEXT
SECURE_SSL_REDIRECT = SSL_CONTEXT
SESSION_COOKIE_SECURE = SSL_CONTEXT
SECURE_HSTS_SECONDS = 3600
Reducing SECURE_HSTS_SECONDS time is also a good idea during development.