Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Security unit tests #298
We currently use Django's check system to test a number of security settings: CSRF protection, HTTPS redirect, etc.
However, these checks are quite brittle: many simply do a check for a specific string in the list of middlewares plus a specific setting.
When using a custom or third party middleware that replaces one of Django's, silencing the check is required. This means no check is being done and can be quite dangerous if the custom middleware is then removed (as happened to us recently)
There are some checks, such as the secret key check that cannot be made into unit tests as they are dependant on where Inboxen is being deployed. Anything that doesn't change based on user configuration should have a test.
Checks that should be unit tests: