Merge pull request #1624 from ptrovatelli/add-nosniff-header

Add nosniff header and other improvments related to installation

Dockerfile.django

@@ -100,11 +100,9 @@ ENV \
   DD_DATABASE_PASSWORD="defectdojo" \
   DD_DATABASE_PORT="3306" \
   DD_DATABASE_USER="defectdojo" \
-  DD_SECRET_KEY="hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq" \
-  DD_CREDENTIAL_AES_256_KEY="&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw" \
   DD_INITIALIZE=true \
   DD_UWSGI_MODE="socket" \
   DD_UWSGI_ENDPOINT="0.0.0.0:3031" \
-  DD_DJANGO_ADMIN_ENABLED="on" \
-  DD_TRACK_MIGRATIONS="on"
+  DD_DJANGO_ADMIN_ENABLED="True" \
+  DD_TRACK_MIGRATIONS="True"
 ENTRYPOINT ["/entrypoint-uwsgi.sh"]

docker-compose.override.dev.yml

@@ -6,7 +6,7 @@ services:
     volumes:
       - '.:/app:z'
     environment:
-      DD_DEBUG: 'on'
+      DD_DEBUG: 'True'
   celeryworker:
     volumes:
       - '.:/app:z'

docker-compose.override.ptvsd.yml

@@ -6,7 +6,7 @@ services:
     volumes:
       - '.:/app:z'
     environment:
-      DD_DEBUG: 'on'
+      DD_DEBUG: 'True'
     ports:
       - target: 3000
         published: 3000

docker-compose.override.unit_tests.yml

@@ -11,7 +11,7 @@ services:
     volumes:
       - '.:/app:z'
     environment:
-      DD_DEBUG: 'on'
+      DD_DEBUG: 'True'
       DD_TEST_DATABASE_NAME: ${DD_TEST_DATABASE_NAME:-test_defectdojo}
       DD_DATABASE_NAME: ${DD_TEST_DATABASE_NAME:-test_defectdojo}
   celerybeat:

docker-compose.yml

@@ -22,11 +22,13 @@ services:
       - mysql
     entrypoint: ['/wait-for-it.sh', 'mysql:3306', '-t', '30', '--', '/entrypoint-uwsgi.sh']
     environment:
-      DD_DEBUG: 'off'
+      DD_DEBUG: 'False'
       DD_ALLOWED_HOSTS: ${DD_ALLOWED_HOSTS:-*}
       DD_DATABASE_URL: ${DD_DATABASE_URL:-mysql://defectdojo:defectdojo@mysql:3306/defectdojo}
       DD_CELERY_BROKER_USER: ${DD_CELERY_BROKER_USER:-guest}
       DD_CELERY_BROKER_PASSWORD: ${DD_CELERY_BROKER_USER:-guest}
+      DD_SECRET_KEY: ${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}
+      DD_CREDENTIAL_AES_256_KEY: ${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}
   celerybeat:
     image: defectdojo/defectdojo-django:latest
     depends_on:
@@ -37,6 +39,8 @@ services:
       DD_DATABASE_URL: ${DD_DATABASE_URL:-mysql://defectdojo:defectdojo@mysql:3306/defectdojo}
       DD_CELERY_BROKER_USER: ${DD_CELERY_BROKER_USER:-guest}
       DD_CELERY_BROKER_PASSWORD: ${DD_CELERY_BROKER_USER:-guest}
+      DD_SECRET_KEY: ${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}
+      DD_CREDENTIAL_AES_256_KEY: ${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}
   celeryworker:
     image: defectdojo/defectdojo-django:latest
     depends_on:
@@ -47,6 +51,8 @@ services:
       DD_DATABASE_URL: ${DD_DATABASE_URL:-mysql://defectdojo:defectdojo@mysql:3306/defectdojo}
       DD_CELERY_BROKER_USER: ${DD_CELERY_BROKER_USER:-guest}
       DD_CELERY_BROKER_PASSWORD: ${DD_CELERY_BROKER_USER:-guest}
+      DD_SECRET_KEY: ${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}
+      DD_CREDENTIAL_AES_256_KEY: ${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}
   initializer:
     image: defectdojo/defectdojo-django:latest
     depends_on:
@@ -59,6 +65,8 @@ services:
       DD_ADMIN_FIRST_NAME: ${DD_ADMIN_FIRST_NAME:-Admin}
       DD_ADMIN_LAST_NAME: ${DD_ADMIN_LAST_NAME:-User}
       DD_INITIALIZE: ${DD_INITIALIZE:-true}
+      DD_SECRET_KEY: ${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}
+      DD_CREDENTIAL_AES_256_KEY: ${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}
   mysql:
     image: mysql:5.7.27@sha256:540488d8f0e04c1077d17934d1c1511fe417e2221dff508ce4621f5efe6131db
     environment:

dojo/settings/settings.dist.py

@@ -17,7 +17,8 @@
     DD_SECURE_HSTS_SECONDS=(int, 31536000),  # One year expiration
     DD_SESSION_COOKIE_SECURE=(bool, False),
     DD_CSRF_COOKIE_SECURE=(bool, False),
-    DD_SECURE_BROWSER_XSS_FILTER=(bool, False),
+    DD_SECURE_BROWSER_XSS_FILTER=(bool, True),
+    DD_SECURE_CONTENT_TYPE_NOSNIFF=(bool, True),
     DD_TIME_ZONE=(str, 'UTC'),
     DD_LANG=(str, 'en-us'),
     DD_WKHTMLTOPDF=(str, '/usr/local/bin/wkhtmltopdf'),
@@ -318,6 +319,9 @@ def generate_url(scheme, double_slashes, user, password, host, port, path):
 # mode=block header on all responses that do not already have it.
 SECURE_BROWSER_XSS_FILTER = env('DD_SECURE_BROWSER_XSS_FILTER')
 
+# If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
+SECURE_CONTENT_TYPE_NOSNIFF = env('DD_SECURE_CONTENT_TYPE_NOSNIFF')
+
 # Whether to use HTTPOnly flag on the session cookie.
 # If this is set to True, client-side JavaScript will not to be able to access the session cookie.
 SESSION_COOKIE_HTTPONLY = env('DD_SESSION_COOKIE_HTTPONLY')

dojo/settings/template-env

@@ -1,8 +1,8 @@
 # Django Debug, don't enable on production!
-DD_DEBUG=off
+DD_DEBUG=False
 
 # Enables Django Admin
-DD_DJANGO_ADMIN_ENABLED=on
+DD_DJANGO_ADMIN_ENABLED=True
 
 # A secret key for a particular Django installation.
 DD_SECRET_KEY=#DD_SECRET_KEY#
@@ -19,7 +19,7 @@ DD_ALLOWED_HOSTS=#DD_ALLOWED_HOSTS#
 # WhiteNoise allows your web app to serve its own static files,
 # making it a self-contained unit that can be deployed anywhere without relying on nginx,
 # if using nginx then disable Whitenoise
-DD_WHITENOISE=on
+DD_WHITENOISE=True
 
 # -------------------------------------------------------
 # Additional Settings / Override defaults in settings.py
@@ -29,22 +29,25 @@ DD_WHITENOISE=on
 # DD_TIME_ZONE=America/New_York
 
 # Track migrations through source control rather than making migrations locally
-# DD_TRACK_MIGRATIONS=on
+# DD_TRACK_MIGRATIONS=False
 
 # Whether to use HTTPOnly flag on the session cookie.
-# DD_SESSION_COOKIE_HTTPONLY=on
+# DD_SESSION_COOKIE_HTTPONLY=True
 
 # Whether to use HttpOnly flag on the CSRF cookie.
-# DD_CSRF_COOKIE_HTTPONLY=on
+# DD_CSRF_COOKIE_HTTPONLY=True
 
 # If True, the SecurityMiddleware redirects all non-HTTPS requests to HTTPS
-# DD_SECURE_SSL_REDIRECT=off
+# DD_SECURE_SSL_REDIRECT=False
 
 # Whether to use a secure cookie for the CSRF cookie.
-# DD_CSRF_COOKIE_SECURE=off
+# DD_CSRF_COOKIE_SECURE=False
 
-# If on, the SecurityMiddleware sets the X-XSS-Protection: 1;
-# DD_SECURE_BROWSER_XSS_FILTER=on
+# If True, the SecurityMiddleware sets the X-XSS-Protection: 1;
+# DD_SECURE_BROWSER_XSS_FILTER=True
+
+# If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
+# DD_SECURE_CONTENT_TYPE_NOSNIFF=True
 
 # Change the default language set
 # DD_LANG=en-us

dojo/wsgi.py

@@ -46,7 +46,7 @@ def _check_ptvsd_port_not_in_use(port):
 
 
 ptvsd_port = 3000
-if os.environ.get("DD_DEBUG") == "on" and _check_ptvsd_port_not_in_use(ptvsd_port):
+if os.environ.get("DD_DEBUG") == "True" and _check_ptvsd_port_not_in_use(ptvsd_port):
     try:
         # enable remote debugging
         import ptvsd

entrypoint_scripts/common/config-vars.sh

@@ -72,24 +72,25 @@ DEV_ADMIN_PASS="admin"
 ADMIN_EMAIL=${ADMIN_EMAIL:-"ed@example.com"}
 
 # Django settings.py vars
-DD_DEBUG=${DD_DEBUG:="off"}                              # Django Debug, defaults to off and should be for production. Can be off or on
-DD_DJANGO_ADMIN_ENABLED=${DD_DJANGO_ADMIN_ENABLED:-"on"} # Enables Django Admin, defaults to on - either off or on
+DD_DEBUG=${DD_DEBUG:="False"}                              # Django Debug, defaults to False and should be for production. Can be True or False
+DD_DJANGO_ADMIN_ENABLED=${DD_DJANGO_ADMIN_ENABLED:-"True"} # Enables Django Admin, defaults to True - either False or True
 DD_SECRET_KEY="GENERATED-DYNAMICALLY-AT-INSTALL-TIME"    # A secret key for a particular Django installation.
 DD_CREDENTIAL_AES_256_KEY="GENERATED-DYNAMICALLY-AT-INSTALL-TIME" # Key for encrypting credentials in the manager
 DD_DATABASE_URL=${DD_DATABASE_URL:-"mysql://dojodbusr:vee0Thoanae1daePooz0ieka@localhost:3306/dojodb"} # Database URL, options: postgres://, mysql://, sqlite://, to use unsafe characters encode with urllib.parse.encode
 DD_ALLOWED_HOSTS=${DD_ALLOWED_HOSTS:-"*"}                # Hosts/domain names that are valid for this site - Separate accepted hosts with a comma for 2+ hostnames
 # WhiteNoise allows your web app to serve its own static files,
 # making it a self-contained unit that can be deployed anywhere without relying on nginx,
 # if using nginx then disable Whitenoise
-DD_WHITENOISE=${DD_WHITENOISE:-"on"}   # Valid options: on, off 
+DD_WHITENOISE=${DD_WHITENOISE:-"True"}   # Valid options: True, False
 # Additional Settings / Override defaults in settings.py
 DD_TIME_ZONE=${DD_TIME_ZONE:-"America/New_York"}         # Timezone - default America/New_York
-DD_TRACK_MIGRATIONS=${DD_TRACK_MIGRATIONS:-"on"}         # Track migrations through source control rather than making migrations locally
-DD_SESSION_COOKIE_HTTPONLY=${DD_SESSION_COOKIE_HTTPONLY:-"on"} # Whether to use HTTPOnly flag on the session cookie - either on or off
-DD_CSRF_COOKIE_HTTPONLY=${DD_CSRF_COOKIE_HTTPONLY:-"on"} # Whether to use HttpOnly flag on the CSRF cookie - either on or off
-DD_SECURE_SSL_REDIRECT=${DD_SECURE_SSL_REDIRECT:-"off"}  # If True, the SecurityMiddleware redirects all non-HTTPS requests to HTTPS - either on or off
-DD_CSRF_COOKIE_SECURE=${DD_CSRF_COOKIE_SECURE:-"off"}    # Whether to use a secure cookie for the CSRF cookie - either on or off
-DD_SECURE_BROWSER_XSS_FILTER=${DD_SECURE_BROWSER_XSS_FILTER:-"on"} # If on, the SecurityMiddleware sets the X-XSS-Protection: 1; - either on or off
+DD_TRACK_MIGRATIONS=${DD_TRACK_MIGRATIONS:-"True"}         # Track migrations through source control rather than making migrations locally
+DD_SESSION_COOKIE_HTTPONLY=${DD_SESSION_COOKIE_HTTPONLY:-"True"} # Whether to use HTTPOnly flag on the session cookie - either True or False
+DD_CSRF_COOKIE_HTTPONLY=${DD_CSRF_COOKIE_HTTPONLY:-"True"} # Whether to use HttpOnly flag on the CSRF cookie - either True or False
+DD_SECURE_SSL_REDIRECT=${DD_SECURE_SSL_REDIRECT:-"False"}  # If True, the SecurityMiddleware redirects all non-HTTPS requests to HTTPS - either True or False
+DD_CSRF_COOKIE_SECURE=${DD_CSRF_COOKIE_SECURE:-"False"}    # Whether to use a secure cookie for the CSRF cookie - either True or False
+DD_SECURE_BROWSER_XSS_FILTER=${DD_SECURE_BROWSER_XSS_FILTER:-"True"} # If True, the SecurityMiddleware sets the X-XSS-Protection: 1; - either True or False
+DD_SECURE_CONTENT_TYPE_NOSNIFF=${DD_SECURE_CONTENT_TYPE_NOSNIFF:-"True"} # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
 DD_LANG=${DD_LANG:-"en-us"}                              # Change the default language set
 DD_WKHTMLTOPDF=${DD_WKHTMLTOPDF:-"/usr/local/bin/wkhtmltopdf"} # Path to PDF library
 DD_TEAM_NAME=${DD_TEAM_NAME:-"Security"}                 # Security team name, used for outgoing emails

entrypoint_scripts/common/dojo-shared-resources.sh

@@ -458,7 +458,7 @@ function prepare_settings_file() {
         echo 'DD_ALLOWED_HOSTS="localhost"' >> ${ENV_SETTINGS_FILE}
     fi
 
-    echo 'DD_DEBUG="on"' >> ${ENV_SETTINGS_FILE}
+    echo 'DD_DEBUG="True"' >> ${ENV_SETTINGS_FILE}
     echo 'DD_SECRET_KEY="'${SECRET}'"' >> ${ENV_SETTINGS_FILE}
     echo 'DD_CREDENTIAL_AES_256_KEY="'${AES_PASSPHRASE}'"' >> ${ENV_SETTINGS_FILE}
 }

entrypoint_scripts/common/install-env

@@ -46,6 +46,9 @@ DD_CSRF_COOKIE_SECURE=#DD_CSRF_COOKIE_SECURE#
 # If on, the SecurityMiddleware sets the X-XSS-Protection: 1; - default is on
 DD_SECURE_BROWSER_XSS_FILTER=#DD_SECURE_BROWSER_XSS_FILTER#
 
+# If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
+DD_SECURE_CONTENT_TYPE_NOSNIFF=#DD_SECURE_CONTENT_TYPE_NOSNIFF#
+
 # Change the default language set - default is en-us
 DD_LANG=#DD_LANG#
 

entrypoint_scripts/os/linux.sh

@@ -213,6 +213,8 @@ function create_dojo_settings() {
     sed -i -e 's%#DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST#%'$DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST'%' "$ENV_TARGET_FILE"
     echo "22"
     sed -i -e 's%#DD_PORT_SCAN_SOURCE_IP#%'$DD_PORT_SCAN_SOURCE_IP'%' "$ENV_TARGET_FILE"
+    echo "23"
+    sed -i -e 's%#DD_SECURE_CONTENT_TYPE_NOSNIFF#%'$DD_SECURE_CONTENT_TYPE_NOSNIFF'%' "$ENV_TARGET_FILE"
     # File paths for settings.py
     #sed -i -e 's%#DOJO_ROOT#%'$DOJO_ROOT'%' "$TARGET_SETTINGS_FILE"
     #sed -i -e 's%#MEDIA_ROOT#%'$MEDIA_ROOT'%' "$TARGET_SETTINGS_FILE"

entrypoint_scripts/test/travis-unit-test.sh

@@ -14,7 +14,7 @@ export DJANGO_SETTINGS_MODULE=dojo.settings.unittest
 export DD_SECRET_KEY=`cat /dev/urandom | LC_CTYPE=C tr -dc "a-zA-Z0-9" | head -c 128`
 export DD_CREDENTIAL_AES_256_KEY=`cat /dev/urandom | LC_CTYPE=C tr -dc "a-zA-Z0-9" | head -c 128`
 export DD_DATABASE_URL="sqlite:///test.db"
-export DD_DEBUG=on
+export DD_DEBUG=True
 
 python manage.py makemigrations dojo
 python manage.py migrate

legacy-setup.bash

@@ -65,6 +65,7 @@ echo "        CSRF_COOKIE_SECURE = True"
 echo "        SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')"
 echo "        SECURE_SSL_REDIRECT = True"
 echo "        SECURE_BROWSER_XSS_FILTER = True"
+echo "        SECURE_CONTENT_TYPE_NOSNIFF = True"
 echo "        django.middleware.security.SecurityMiddleware"
 echo
 echo "When you're ready to start the DefectDojo server, type in this directory:"

setup/scripts/common/config-vars.sh

@@ -73,7 +73,7 @@ DEV_ADMIN_PASS="admin"
 ADMIN_EMAIL=${ADMIN_EMAIL:-"ed@example.com"}
 
 # Django settings.py vars
-DD_DEBUG=${DD_DEBUG:="off"}                              # Django Debug, defaults to off and should be for production. Can be off or on
+DD_DEBUG=${DD_DEBUG:="False"}                              # Django Debug, defaults to False and should be for production. Can be False or True
 DD_DJANGO_ADMIN_ENABLED=${DD_DJANGO_ADMIN_ENABLED:-"on"} # Enables Django Admin, defaults to on - either off or on
 DD_SECRET_KEY="GENERATED-DYNAMICALLY-AT-INSTALL-TIME"    # A secret key for a particular Django installation.
 DD_CREDENTIAL_AES_256_KEY="GENERATED-DYNAMICALLY-AT-INSTALL-TIME" # Key for encrypting credentials in the manager
@@ -82,15 +82,16 @@ DD_ALLOWED_HOSTS=${DD_ALLOWED_HOSTS:-"*"}                # Hosts/domain names th
 # WhiteNoise allows your web app to serve its own static files,
 # making it a self-contained unit that can be deployed anywhere without relying on nginx,
 # if using nginx then disable Whitenoise
-DD_WHITENOISE=${DD_WHITENOISE:-"on"}   # Valid options: on, off 
+DD_WHITENOISE=${DD_WHITENOISE:-"True"}   # Valid options: True, False 
 # Additional Settings / Override defaults in settings.py
 DD_TIME_ZONE=${DD_TIME_ZONE:-"America/New_York"}         # Timezone - default America/New_York
-DD_TRACK_MIGRATIONS=${DD_TRACK_MIGRATIONS:-"on"}         # Track migrations through source control rather than making migrations locally
-DD_SESSION_COOKIE_HTTPONLY=${DD_SESSION_COOKIE_HTTPONLY:-"on"} # Whether to use HTTPOnly flag on the session cookie - either on or off
-DD_CSRF_COOKIE_HTTPONLY=${DD_CSRF_COOKIE_HTTPONLY:-"on"} # Whether to use HttpOnly flag on the CSRF cookie - either on or off
-DD_SECURE_SSL_REDIRECT=${DD_SECURE_SSL_REDIRECT:-"off"}  # If True, the SecurityMiddleware redirects all non-HTTPS requests to HTTPS - either on or off
-DD_CSRF_COOKIE_SECURE=${DD_CSRF_COOKIE_SECURE:-"off"}    # Whether to use a secure cookie for the CSRF cookie - either on or off
-DD_SECURE_BROWSER_XSS_FILTER=${DD_SECURE_BROWSER_XSS_FILTER:-"on"} # If on, the SecurityMiddleware sets the X-XSS-Protection: 1; - either on or off
+DD_TRACK_MIGRATIONS=${DD_TRACK_MIGRATIONS:-"True"}         # Track migrations through source control rather than making migrations locally
+DD_SESSION_COOKIE_HTTPONLY=${DD_SESSION_COOKIE_HTTPONLY:-"True"} # Whether to use HTTPOnly flag on the session cookie - either True or False
+DD_CSRF_COOKIE_HTTPONLY=${DD_CSRF_COOKIE_HTTPONLY:-"True"} # Whether to use HttpOnly flag on the CSRF cookie - either True or False
+DD_SECURE_SSL_REDIRECT=${DD_SECURE_SSL_REDIRECT:-"False"}  # If True, the SecurityMiddleware redirects all non-HTTPS requests to HTTPS - either True or False
+DD_CSRF_COOKIE_SECURE=${DD_CSRF_COOKIE_SECURE:-"False"}    # Whether to use a secure cookie for the CSRF cookie - either True or False
+DD_SECURE_BROWSER_XSS_FILTER=${DD_SECURE_BROWSER_XSS_FILTER:-"True"} # If True, the SecurityMiddleware sets the X-XSS-Protection: 1; - either True or False
+DD_SECURE_CONTENT_TYPE_NOSNIFF=${DD_SECURE_CONTENT_TYPE_NOSNIFF:-"True"} # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
 DD_LANG=${DD_LANG:-"en-us"}                              # Change the default language set
 DD_WKHTMLTOPDF=${DD_WKHTMLTOPDF:-"/usr/local/bin/wkhtmltopdf"} # Path to PDF library
 DD_TEAM_NAME=${DD_TEAM_NAME:-"Security"}                 # Security team name, used for outgoing emails

setup/scripts/common/dojo-shared-resources.sh

@@ -620,5 +620,5 @@ function slim_defect_dojo_settings() {
   # Copy settings file
   ENV_SETTINGS_FILE=dojo/settings/.env.prod
   cp dojo/settings/template-env ${ENV_SETTINGS_FILE}
-  sed -i'' "s&# DD_TRACK_MIGRATIONS=on&#DD_TRACK_MIGRATIONS=on&g" ${ENV_SETTINGS_FILE}
+  sed -i'' "s&# DD_TRACK_MIGRATIONS=True&#DD_TRACK_MIGRATIONS=True&g" ${ENV_SETTINGS_FILE}
 }

setup/scripts/common/install-env

@@ -43,9 +43,12 @@ DD_SECURE_SSL_REDIRECT=#DD_SECURE_SSL_REDIRECT#
 # Whether to use a secure cookie for the CSRF cookie - default is off
 DD_CSRF_COOKIE_SECURE=#DD_CSRF_COOKIE_SECURE#
 
-# If on, the SecurityMiddleware sets the X-XSS-Protection: 1; - default is on
+# If True, the SecurityMiddleware sets the X-XSS-Protection: 1; - default is on
 DD_SECURE_BROWSER_XSS_FILTER=#DD_SECURE_BROWSER_XSS_FILTER#
 
+# If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
+DD_SECURE_CONTENT_TYPE_NOSNIFF=#DD_SECURE_CONTENT_TYPE_NOSNIFF#
+
 # Change the default language set - default is en-us
 DD_LANG=#DD_LANG#
 

setup/scripts/os/linux.sh

@@ -318,6 +318,7 @@ function create_dojo_settings() {
     sed -i -e 's%#DD_PORT_SCAN_RESULT_EMAIL_FROM#%'$DD_PORT_SCAN_RESULT_EMAIL_FROM'%' "$ENV_TARGET_FILE"
     sed -i -e 's%#DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST#%'$DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST'%' "$ENV_TARGET_FILE"
     sed -i -e 's%#DD_PORT_SCAN_SOURCE_IP#%'$DD_PORT_SCAN_SOURCE_IP'%' "$ENV_TARGET_FILE"
+    sed -i -e 's%#DD_SECURE_CONTENT_TYPE_NOSNIFF#%'$DD_SECURE_CONTENT_TYPE_NOSNIFF'%' "$ENV_TARGET_FILE"
     # File paths for settings.py
     #sed -i -e 's%#DOJO_ROOT#%'$DOJO_ROOT'%' "$TARGET_SETTINGS_FILE"
     #sed -i -e 's%#MEDIA_ROOT#%'$MEDIA_ROOT'%' "$TARGET_SETTINGS_FILE"

setup/scripts/test/travis-unit-test.sh

@@ -16,7 +16,7 @@ export DJANGO_SETTINGS_MODULE=dojo.settings.unittest
 export DD_SECRET_KEY=`cat /dev/urandom | LC_CTYPE=C tr -dc "a-zA-Z0-9" | head -c 128`
 export DD_CREDENTIAL_AES_256_KEY=`cat /dev/urandom | LC_CTYPE=C tr -dc "a-zA-Z0-9" | head -c 128`
 export DD_DATABASE_URL="sql"
-export DD_DEBUG=on
+export DD_DEBUG=True
 
 python manage.py makemigrations dojo
 python manage.py migrate

setup/setup.bash

@@ -110,7 +110,6 @@ echo "        SESSION_COOKIE_SECURE = True"
 echo "        CSRF_COOKIE_SECURE = True"
 echo "        SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')"
 echo "        SECURE_SSL_REDIRECT = True"
-echo "        SECURE_BROWSER_XSS_FILTER = True"
 echo "        django.middleware.security.SecurityMiddleware"
 echo
 echo "When you're ready to start the DefectDojo server, type in this directory:"