Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
For more detailed security information on Django, see their security documentation.
Activate Apache's SSL Module
sudo a2enmod ssl sudo service apache2 restart
Install SSL/TLS certificate and key
Either place your own certificate and key pair or create a self-signed pair. Keep in mind that self-signed certificates are, arguably, not a security improvement from having no transport security. It is best to use a valid, verifiable certificate that users do not have to manually accept. Place the certificate key pair in:
sudo mkdir /etc/apache2/ssl
Optional: If you need to create a self-signed certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Add the following lines to Krakens entry in /etc/apache2/sites-available/000-default.conf
SSLEngine on SSLCertificateFile "/etc/apache2/ssl/apache.crt" SSLCertificateKeyFile "/etc/apache2/ssl/apache.key"
After restarting the apache2 service, HTTPS will be required to access Kraken.
Enable Security Headers
Uncomment lines 30-33 of the /opt/Kraken/Kraken/settings.py. These settings make the application more secure when SSL/TLS is enable. Below are the configuration changes that these settings make:
- Enable the Secure flag on session tokens
- Issue CSRF tokens
- Enables HTTP Strict Transport Security
Turn Off Verbose Errors
Verbose error messages are informative during development or while debugging the app while in the field as a tester, but should be disabled if ran on a production server as a fixed asset. Change the DEBUG variable on line 23 to False in /opt/Kraken/Kraken/settings.py to disable verbose error messages.