[Django] #30426: Make security headers default

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Django] #30426: Make security headers default

Django
#30426: Make security headers default
-------------------------------------------------+------------------------
               Reporter:  Adam (Chainz) Johnson  |          Owner:  nobody
                   Type:  New feature            |         Status:  new
              Component:  Core (Other)           |        Version:  2.2
               Severity:  Normal                 |       Keywords:
           Triage Stage:  Unreviewed             |      Has patch:  0
    Needs documentation:  0                      |    Needs tests:  0
Patch needs improvement:  0                      |  Easy pickings:  0
                  UI/UX:  0                      |
-------------------------------------------------+------------------------
 Following my security headers talk at DjangoCon Europe and its related
 blog post ( https://adamj.eu/tech/2019/04/10/how-to-score-a+-for-security-
 headers-on-your-django-website/ ), I'd like to make Django use more of
 these security headers by default on new projects. They're always harder
 to roll out on existing projects than to just bake in to the new project
 template.

 On current master, running `python manage.py check --deploy` on a fresh
 project created with `startproject` yields these warnings:

 ```
 System check identified some issues:

 WARNINGS:
 ?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS
 setting. If your entire site is served only over SSL, you may want to
 consider setting a value and enabling HTTP Strict Transport Security. Be
 sure to read the documentation first; enabling HSTS carelessly can cause
 serious, irreversible problems.
 ?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to
 True, so your pages will not be served with an 'X-Content-Type-Options:
 nosniff' header. You should consider enabling this header to prevent the
 browser from identifying content types incorrectly.
 ?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to
 True, so your pages will not be served with an 'X-XSS-Protection: 1;
 mode=block' header. You should consider enabling this header to activate
 the browser's XSS filtering and help prevent XSS attacks.
 ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True.
 Unless your site should be available over both SSL and non-SSL
 connections, you may want to either set this setting True or configure a
 load balancer or reverse-proxy server to redirect all connections to
 HTTPS.
 ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a
 secure-only session cookie makes it more difficult for network traffic
 sniffers to hijack user sessions.
 ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in
 your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a
 secure-only CSRF cookie makes it more difficult for network traffic
 sniffers to steal the CSRF token.
 ?: (security.W018) You should not have DEBUG set to True in deployment.
 ?: (security.W019) You have
 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your
 MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is
 'SAMEORIGIN', but unless there is a good reason for your site to serve
 other parts of itself in a frame, you should change it to 'DENY'.
 ?: (security.W020) ALLOWED_HOSTS must not be empty in deployment.

 System check identified 9 issues (0 silenced).
 ```

 Three of these come from security headers that we could activate by
 default in the settings `SECURE_CONTENT_TYPE_NOSNIFF`,
 `SECURE_BROWSER_XSS_FILTER`, and `X_FRAME_OPTIONS`.

 I'd like to propose making them default in the `startproject` settings and
 even changing their global defaults (through a deprecation period) so they
 are activated by default.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/053.a8373c62679ccc395387e85eff37667d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  nobody
  Johnson                            |
         Type:  New feature          |                   Status:  new
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Description changed by Adam (Chainz) Johnson:

Old description:

> Following my security headers talk at DjangoCon Europe and its related
> blog post ( https://adamj.eu/tech/2019/04/10/how-to-score-a+-for-
> security-headers-on-your-django-website/ ), I'd like to make Django use
> more of these security headers by default on new projects. They're always
> harder to roll out on existing projects than to just bake in to the new
> project template.
>
> On current master, running `python manage.py check --deploy` on a fresh
> project created with `startproject` yields these warnings:
>
> ```
> System check identified some issues:
>
> WARNINGS:
> ?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS
> setting. If your entire site is served only over SSL, you may want to
> consider setting a value and enabling HTTP Strict Transport Security. Be
> sure to read the documentation first; enabling HSTS carelessly can cause
> serious, irreversible problems.
> ?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to
> True, so your pages will not be served with an 'X-Content-Type-Options:
> nosniff' header. You should consider enabling this header to prevent the
> browser from identifying content types incorrectly.
> ?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to
> True, so your pages will not be served with an 'X-XSS-Protection: 1;
> mode=block' header. You should consider enabling this header to activate
> the browser's XSS filtering and help prevent XSS attacks.
> ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True.
> Unless your site should be available over both SSL and non-SSL
> connections, you may want to either set this setting True or configure a
> load balancer or reverse-proxy server to redirect all connections to
> HTTPS.
> ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a
> secure-only session cookie makes it more difficult for network traffic
> sniffers to hijack user sessions.
> ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware'
> in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True.
> Using a secure-only CSRF cookie makes it more difficult for network
> traffic sniffers to steal the CSRF token.
> ?: (security.W018) You should not have DEBUG set to True in deployment.
> ?: (security.W019) You have
> 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your
> MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is
> 'SAMEORIGIN', but unless there is a good reason for your site to serve
> other parts of itself in a frame, you should change it to 'DENY'.
> ?: (security.W020) ALLOWED_HOSTS must not be empty in deployment.
>
> System check identified 9 issues (0 silenced).
> ```
>
> Three of these come from security headers that we could activate by
> default in the settings `SECURE_CONTENT_TYPE_NOSNIFF`,
> `SECURE_BROWSER_XSS_FILTER`, and `X_FRAME_OPTIONS`.
>
> I'd like to propose making them default in the `startproject` settings
> and even changing their global defaults (through a deprecation period) so
> they are activated by default.
New description:

 Following my security headers talk at DjangoCon Europe and its related
 blog post ( https://adamj.eu/tech/2019/04/10/how-to-score-a+-for-security-
 headers-on-your-django-website/ ), I'd like to make Django use more of
 these security headers by default on new projects. They're always harder
 to roll out on existing projects than to just bake in to the new project
 template.

 On current master, running `python manage.py check --deploy` on a fresh
 project created with `startproject` yields these warnings:

 {{{
 System check identified some issues:

 WARNINGS:
 ?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS
 setting. If your entire site is served only over SSL, you may want to
 consider setting a value and enabling HTTP Strict Transport Security. Be
 sure to read the documentation first; enabling HSTS carelessly can cause
 serious, irreversible problems.
 ?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to
 True, so your pages will not be served with an 'X-Content-Type-Options:
 nosniff' header. You should consider enabling this header to prevent the
 browser from identifying content types incorrectly.
 ?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to
 True, so your pages will not be served with an 'X-XSS-Protection: 1;
 mode=block' header. You should consider enabling this header to activate
 the browser's XSS filtering and help prevent XSS attacks.
 ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True.
 Unless your site should be available over both SSL and non-SSL
 connections, you may want to either set this setting True or configure a
 load balancer or reverse-proxy server to redirect all connections to
 HTTPS.
 ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a
 secure-only session cookie makes it more difficult for network traffic
 sniffers to hijack user sessions.
 ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in
 your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a
 secure-only CSRF cookie makes it more difficult for network traffic
 sniffers to steal the CSRF token.
 ?: (security.W018) You should not have DEBUG set to True in deployment.
 ?: (security.W019) You have
 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your
 MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is
 'SAMEORIGIN', but unless there is a good reason for your site to serve
 other parts of itself in a frame, you should change it to 'DENY'.
 ?: (security.W020) ALLOWED_HOSTS must not be empty in deployment.

 System check identified 9 issues (0 silenced).
 }}}

 Three of these come from security headers that we could activate by
 default in the settings `SECURE_CONTENT_TYPE_NOSNIFF`,
 `SECURE_BROWSER_XSS_FILTER`, and `X_FRAME_OPTIONS`.

 I'd like to propose making them default in the `startproject` settings and
 even changing their global defaults (through a deprecation period) so they
 are activated by default.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.a26578b5d485fbdcc430c17011fc0b83%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Adam (Chainz) Johnson):

 * owner:  nobody => Adam (Chainz) Johnson
 * status:  new => assigned
 * has_patch:  0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.15a61f47ab3b5857d7b8366bce2309b1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

 * stage:  Unreviewed => Accepted


Comment:

 Hi Adam.

 I see no problem with changing the template.

 Maybe people will have comments on changing the defaults. (But let's put
 that to the test.)

 Thanks.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.ab1b91c687e5bb44e2a067f4ab183a64%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Claude Paroz):

 Could you just sum up what would be the possible downside of this?

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.ac00ac7b5b88cfc274e452faed7c10f2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Adam (Chainz) Johnson):

 I don't think there are many downsides to changing the template. We
 already ask developers to learn about these flags before production in
 `manage.py check --deploy`, so having them visible and on by default
 pushes this earlier in development and reduces the risk of writing
 incompatible, less secure code to begin with, on new projects.

 Changing the defaults via the deprecation timeline risks breaking sites
 (sometimes subtly) for each of these headers, since they disable some
 (bad) browser behaviour. We can probably force users to explicitly set the
 flags in their settings file in the version before the default is
 switched. I think there's a precedent but can't remember which setting.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.4c8afcc1b3ad0e255d78c5ad0d758981%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Claude Paroz):

 If this is only breaking sites in case of "bad" behavior, I guess we can
 live with a backwards incompatibility note in the release notes.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.2a196831184f78661fb998347c303470%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Florian Apolloner):

 Replying to [comment:6 Claude Paroz]:
 > If this is only breaking sites in case of "bad" behavior, I guess we can
 live with a backwards incompatibility note in the release notes.

 It's not even technically backwards incompatible since you only get those
 settings when creating a new project, Adam did not set it in the global
 defaults.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.1ab342e9a5d22cf7094af78c1fd7fded%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Florian Apolloner):

 * cc: Florian Apolloner (added)


--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.71121b3b3431c9d38d168f6940eb6bb4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default

Django
In reply to this post by Django
#30426: Make security headers default
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Claude Paroz):

 I was referring to the last sentence of the ticket description:
 > and even changing their global defaults (through a deprecation period)
 so they are activated by default.

 If they are safe defaults, I would be in favor of changing the global
 defaults for these settings. I think we generally strive to make the
 project settings template as short as possible.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.d93d867fdf4f64b342d4c8cc69534dc8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default. (was: Make security headers default)

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by felixxm):

 * needs_better_patch:  0 => 1
 * version:  2.2 => master
 * needs_docs:  0 => 1


Comment:

 I agree that we can change global default values for these 3 settings
 (release notes and changes in docs are required).

 [https://github.com/django/django/pull/11307 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.2e26304b7979545d6ea6bce2c2dafdb5%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Claude Paroz):

 Any rationale about adding the defaults to the project template instead of
 changing the default values. I think release notes could warn about the
 changed defaults.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.b5f13e574ed8b7ea02382ce1569e70ba%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Florian Apolloner):

 Simply because it is not backwards compatible.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.e3b8e038134032ad5b8ef7a3f6c70adb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Claude Paroz):

 Of course, but it's not like we never made incompatible changes :-) (with
 proper release notes).
 I think that so-called "safe defaults" belong to the global settings file.
 I vote for keeping the project settings file as slim as possible by
 default. But I can understand other opinions too, for sure.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.de8091dd861221a8c6995ffb9e87582a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Florian Apolloner):

 Sure and I am fully in favor of making them a global default, I am just
 not sure if we can argue it given our policies… So if you all think that
 we should do it, I am +1 (with a rather prominent note in the release
 notes). That said I think only the `X_FRAME_OPTIONS` change would be
 relevant at all because I cannot imagine how one would rely on the
 behavior of the others to do something useful :)

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:14>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.70708c6614a00f906b68007fa32908bf%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Ran Benita):

 From a recent [https://adamj.eu/tech/2019/08/02/feature-policy-updates-
 now-required-for-a-plus/ blog post] by Adam, and the
 [https://scotthelme.co.uk/security-headers-updates/#removing-the-x-xss-
 protection-header linked blog] and further links down it sounds like the
 `X-Xss-Protection` header is deprecated or removed in modern browsers, and
 maybe even [https://bugs.chromium.org/p/chromium/issues/detail?id=968591
 harmful]. So maybe this one should not be enabled by default, and maybe
 even the `security.W007` check should be removed?

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:15>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.44d54ed9b3c368502548027d73647b04%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Adam (Chainz) Johnson):

 Yes Ran - hadn't quite thought that through yet. I made a new ticket
 #30680 to deal with that, left open for discussion right now.

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:16>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.087fa8c46c960ad3853bada4d69f36c3%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

 In [changeset:"04681597634a0c803246fe68b3bcb64f81e7305c" 04681597]:
 {{{
 #!CommitTicketReference repository=""
 revision="04681597634a0c803246fe68b3bcb64f81e7305c"
 Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:17>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.755690a1042000cff18823b0a077ba5f%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Claude Paroz):

 Looks like the remaining question is about `X_FRAME_OPTIONS`:

 - Make it `DENY` by default in global settings with a backwards
 incompatibility note in release notes
 - Make it `DENY` in the default project settings template (better for
 compatibility, but clutters the project settings file and doesn't do
 anything for existing projects)

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:18>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.397ff91e4b72ba45bfc6d8469ec732bd%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30426: Make security headers default.

Django
In reply to this post by Django
#30426: Make security headers default.
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  Adam
  Johnson                            |  (Chainz) Johnson
         Type:  New feature          |                   Status:  assigned
    Component:  Core (Other)         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Adam (Chainz) Johnson):

 It seems the consensus is to make it DENY by default with a warning - any
 objections?

--
Ticket URL: <https://code.djangoproject.com/ticket/30426#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.fd0160ea3db14f2d2719b26c1a07be31%40djangoproject.com.
12