Coverage for /Users/davegaeddert/Development/dropseed/plain/plain/plain/preflight/security/csrf.py: 64%
14 statements
« prev ^ index » next coverage.py v7.6.1, created at 2024-10-16 22:27 -0500
« prev ^ index » next coverage.py v7.6.1, created at 2024-10-16 22:27 -0500
1from plain.runtime import settings
3from .. import Warning, register
5W003 = Warning(
6 "You don't appear to be using Plain's built-in "
7 "cross-site request forgery protection via the middleware "
8 "('plain.csrf.middleware.CsrfViewMiddleware' is not in your "
9 "MIDDLEWARE). Enabling the middleware is the safest approach "
10 "to ensure you don't leave any holes.",
11 id="security.W003",
12)
14W016 = Warning(
15 "You have 'plain.csrf.middleware.CsrfViewMiddleware' in your "
16 "MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. "
17 "Using a secure-only CSRF cookie makes it more difficult for network "
18 "traffic sniffers to steal the CSRF token.",
19 id="security.W016",
20)
23def _csrf_middleware():
24 return "plain.csrf.middleware.CsrfViewMiddleware" in settings.MIDDLEWARE
27@register(deploy=True)
28def check_csrf_middleware(package_configs, **kwargs):
29 passed_check = _csrf_middleware()
30 return [] if passed_check else [W003]
33@register(deploy=True)
34def check_csrf_cookie_secure(package_configs, **kwargs):
35 passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True
36 return [] if passed_check else [W016]