Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
159 lines (107 sloc) 6.24 KB

The checksecure management command

The checksecure management command is a "linter" for simple improvements you could make to your site's security configuration. It just runs a list of check functions. Each check function can return a set of warnings, or the empty set if it finds nothing to warn about.

When to run it

You can run it in your local development checkout. Your local dev settings module may not be configured for SSL, so you may want to point it at a different settings module, either by setting the DJANGO_SETTINGS_MODULE environment variable, or by passing the --settings option:

django-admin.py checksecure --settings=production_settings

Or you could run it directly on a production or staging deployment to verify that the correct settings are in use.

You could even make it part of your integration test suite, if you want. The :py:func:`djangosecure.check.run_checks` function runs all configured checks and returns the complete set of warnings; you could write a simple test that asserts that the returned value is empty.

Built-in checks

The following check functions are built-in to django-secure, and will run by default:

Suggestions for additional built-in checks (or better, patches implementing them) are welcome!

Modifying the list of check functions

By default, all of the :ref:`built-in checks <built-in-checks>` are run when you run ./manage.py checksecure. However, some of these checks may not be appropriate for your particular deployment configuration. For instance, if you do your HTTP->HTTPS redirection in a loadbalancer, it'd be irritating for checksecure to constantly warn you about not having enabled :ref:`SECURE_SSL_REDIRECT`. You can customize the list of checks by setting the :ref:`SECURE_CHECKS` setting; you can just copy the default value and remove a check or two; you can also write your own :ref:`custom checks <custom-checks>`.

Writing custom check functions

A checksecure check function can be any Python function that takes no arguments and returns a Python iterable of warnings (an empty iterable if it finds nothing to warn about).

Optionally, the function can have a messages attribute, which is a dictionary mapping short warning codes returned by the function (which will be displayed by checksecure if run with --verbosity=0) to longer explanations which will be displayed by checksecure when running at its default verbosity level. For instance:

from django.conf import settings

def check_dont_let_the_bad_guys_in():
    if settings.LET_THE_BAD_GUYS_IN:
        return ["BAD_GUYS_LET_IN"]
    return []

check_dont_let_the_bad_guys_in.messages = {
    "BAD_GUYS_LET_IN": (
        "Longer explanation of why it's a bad idea to let the bad guys in, "
        "and how to correct the situation.")
}