Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added docs.

  • Loading branch information...
commit 4821a04cbfc2a5ef21469c064b09a81f595ef908 1 parent 0039217
@carljm authored
View
1  .gitignore
@@ -2,3 +2,4 @@
htmlcov/
*.egg
django_secure*.egg-info
+doc/_build/
View
3  AUTHORS.rst
@@ -1 +1,4 @@
+Contributors
+============
+
Carl Meyer <carl@oddbird.net>
View
2  MANIFEST.in
@@ -3,3 +3,5 @@ include CHANGES.rst
include LICENSE.txt
include README.rst
include TODO.rst
+recursive-include doc *.rst *.py *.bat
+include doc/Makefile
View
31 README.rst
@@ -2,8 +2,14 @@
django-secure
=============
-Utilities for running a secure Django site (where all URLs in the site should
-be accessed over an HTTPS connection).
+Helping you remember to do the stupid little things to improve your Django
+site's security.
+
+Inspired by Mozilla's `Secure Coding Guidelines`_, and intended for sites that
+are entirely or mostly served over SSL (which should include anything with
+user logins).
+
+.. _Secure Coding Guidelines: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
Quickstart
==========
@@ -39,11 +45,14 @@ Usage
``MIDDLEWARE_CLASSES`` setting (where depends on your other middlewares, but
near the beginning of the list is probably a good choice).
-* Set the ``SECURE_SSL_REDIRECT`` setting to True if all non-SSL requests
+* Set the ``SECURE_SSL_REDIRECT`` setting to ``True`` if all non-SSL requests
should be permanently redirected to SSL.
-* Set the ``SECURE_STS_SECONDS`` setting to an integer number of seconds, if
- you want to use `Strict Transport Security`_.
+* Set the ``SECURE_HSTS_SECONDS`` setting to an integer number of seconds, if
+ you want to use `HTTP Strict Transport Security`_.
+
+* Set the ``SECURE_FRAME_DENY`` setting to ``True``, if you want to prevent
+ framing of your pages and protect them from `clickjacking`_.
* Set ``SESSION_COOKIE_SECURE`` and ``SESSION_COOKIE_HTTPONLY`` to ``True`` if
you are using ``django.contrib.sessions``. These settings are not part of
@@ -53,7 +62,17 @@ Usage
* Run ``python manage.py checksecure`` to verify that your settings are
properly configured for serving a secure SSL site.
-.. _Strict Transport Security: http://en.wikipedia.org/wiki/Strict_Transport_Security
+.. _HTTP Strict Transport Security: http://en.wikipedia.org/wiki/Strict_Transport_Security
+
+.. _clickjacking: http://www.sectheory.com/clickjacking.htm
+
+.. warning::
+ If ``checksecure`` gives you the all-clear, all it means is that you're now
+ taking advantage of a tiny selection of simple and easy security
+ wins. That's great, but it doesn't mean your site or your codebase is
+ secure: only a competent security audit can tell you that.
+
+.. end-here
Documentation
-------------
View
4 TODO.rst
@@ -1,6 +1,2 @@
TODO
====
-
-* checksecure management command (SESSION_COOKIE_SECURE,
- SESSION_COOKIE_HTTPONLY, SECURE_STS_SECONDS, SECURE_SSL_REDIRECT,
- SECURE_FRAME_DENY, SecurityMiddleware)
View
130 doc/Makefile
@@ -0,0 +1,130 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS =
+SPHINXBUILD = sphinx-build
+PAPER =
+BUILDDIR = _build
+
+# Internal variables.
+PAPEROPT_a4 = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest
+
+help:
+ @echo "Please use \`make <target>' where <target> is one of"
+ @echo " html to make standalone HTML files"
+ @echo " dirhtml to make HTML files named index.html in directories"
+ @echo " singlehtml to make a single large HTML file"
+ @echo " pickle to make pickle files"
+ @echo " json to make JSON files"
+ @echo " htmlhelp to make HTML files and a HTML help project"
+ @echo " qthelp to make HTML files and a qthelp project"
+ @echo " devhelp to make HTML files and a Devhelp project"
+ @echo " epub to make an epub"
+ @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+ @echo " latexpdf to make LaTeX files and run them through pdflatex"
+ @echo " text to make text files"
+ @echo " man to make manual pages"
+ @echo " changes to make an overview of all changed/added/deprecated items"
+ @echo " linkcheck to check all external links for integrity"
+ @echo " doctest to run all doctests embedded in the documentation (if enabled)"
+
+clean:
+ -rm -rf $(BUILDDIR)/*
+
+html:
+ $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+dirhtml:
+ $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+singlehtml:
+ $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+ @echo
+ @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+pickle:
+ $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+ @echo
+ @echo "Build finished; now you can process the pickle files."
+
+json:
+ $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+ @echo
+ @echo "Build finished; now you can process the JSON files."
+
+htmlhelp:
+ $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+ @echo
+ @echo "Build finished; now you can run HTML Help Workshop with the" \
+ ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+qthelp:
+ $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+ @echo
+ @echo "Build finished; now you can run "qcollectiongenerator" with the" \
+ ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+ @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/django-secure.qhcp"
+ @echo "To view the help file:"
+ @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/django-secure.qhc"
+
+devhelp:
+ $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+ @echo
+ @echo "Build finished."
+ @echo "To view the help file:"
+ @echo "# mkdir -p $$HOME/.local/share/devhelp/django-secure"
+ @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/django-secure"
+ @echo "# devhelp"
+
+epub:
+ $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+ @echo
+ @echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+latex:
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo
+ @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+ @echo "Run \`make' in that directory to run these through (pdf)latex" \
+ "(use \`make latexpdf' here to do that automatically)."
+
+latexpdf:
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo "Running LaTeX files through pdflatex..."
+ make -C $(BUILDDIR)/latex all-pdf
+ @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+text:
+ $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+ @echo
+ @echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+man:
+ $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
+ @echo
+ @echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+changes:
+ $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+ @echo
+ @echo "The overview file is in $(BUILDDIR)/changes."
+
+linkcheck:
+ $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+ @echo
+ @echo "Link check complete; look for any errors in the above output " \
+ "or in $(BUILDDIR)/linkcheck/output.txt."
+
+doctest:
+ $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+ @echo "Testing of doctests in the sources finished, look at the " \
+ "results in $(BUILDDIR)/doctest/output.txt."
View
1  doc/changelog.rst
@@ -0,0 +1 @@
+.. include:: ../CHANGES.rst
View
129 doc/checksecure.rst
@@ -0,0 +1,129 @@
+The ``checksecure`` management command
+======================================
+
+The ``checksecure`` management command is a "linter" for simple improvements
+you could make to your site's security configuration. It just runs a list of
+check functions. Each check function can return a set of warnings, or the
+empty set if it finds nothing to warn about.
+
+.. contents:: :local:
+
+When to run it
+--------------
+
+You can run it in your local development checkout. Your local dev settings
+module may not be configured for SSL, so you may want to point it at a
+different settings module, either by setting the ``DJANGO_SETTINGS_MODULE``
+environment variable, or by passing the ``--settings`` option::
+
+ django-admin.py checksecure --settings=production_settings
+
+Or you could run it directly on a production or staging deployment to verify that the correct settings are in use.
+
+You could even make it part of your integration test suite, if you want. The
+:py:func:`djangosecure.check.run_checks` function runs all configured checks
+and returns the complete set of warnings; you could write a simple test that
+asserts that the returned value is empty.
+
+.. _built-in-checks:
+
+Built-in checks
+---------------
+
+The following check functions are built-in to django-secure, and will run by
+default
+
+.. py:currentmodule:: djangosecure.check.djangosecure
+
+.. py:function:: check_security_middleware
+
+ Warns if :doc:`middleware` is not in your ``MIDDLEWARE_CLASSES``.
+
+.. py:function:: check_sts
+
+ Warns if :ref:`SECURE_HSTS_SECONDS` is not set to a non-zero value.
+
+.. py:function:: check_frame_deny
+
+ Warns if :ref:`SECURE_FRAME_DENY` is not ``True``.
+
+.. py:function:: check_ssl_redirect
+
+ Warns if :ref:`SECURE_SSL_REDIRECT` is not ``True``.
+
+.. py:currentmodule:: djangosecure.check.sessions
+
+.. py:function:: check_session_cookie_secure
+
+ Warns if you appear to be using Django's `session framework`_ and the
+ `SESSION_COOKIE_SECURE`_ setting is not ``True``. This setting marks
+ Django's session cookie as a secure cookie, which instructs browsers not to
+ send it along with any insecure requests. Since it's trivial for a packet
+ sniffer (e.g. `Firesheep`_) to hijack a user's session if the session cookie
+ is sent unencrypted, there's really no good excuse not to have this on. (It
+ will prevent you from using sessions on insecure requests; that's a good
+ thing).
+
+.. _Firesheep: http://codebutler.com/firesheep
+
+.. _session framework: https://docs.djangoproject.com/en/dev/topics/http/sessions/
+
+.. _SESSION_COOKIE_SECURE: https://docs.djangoproject.com/en/dev/topics/http/sessions/#session-cookie-secure
+
+.. py:function:: check_session_cookie_httponly
+
+ Warns if you appear to be using Django's `session framework`_ and the
+ `SESSION_COOKIE_HTTPONLY`_ setting is not ``True``. This setting marks
+ Django's session cookie as "HTTPOnly", meaning (in supporting browsers) its
+ value can't be accessed from client-side scripts. Turning this on makes it
+ less trivial for an attacker to escalate a cross-site scripting
+ vulnerability into full hijacking of a user's session. There's not much
+ excuse for leaving this off, either: if your code depends on reading session
+ cookies from Javascript, you're probably doing it wrong.
+
+
+.. _SESSION_COOKIE_HTTPONLY: https://docs.djangoproject.com/en/dev/topics/http/sessions/#session-cookie-httponly
+
+Suggestions for additional built-in checks (or better, patches implementing
+them) are welcome!
+
+
+Modifying the list of check functions
+-------------------------------------
+
+By default, all of the :ref:`built-in checks <built-in-checks>` are run when
+you run ``./manage.py checksecure``. However, some of these checks may not be
+appropriate for your particular deployment configuration. For instance, if you
+do your HTTP->HTTPS redirection in a loadbalancer, it'd be irritating for
+``checksecure`` to constantly warn you about not having enabled
+:ref:`SECURE_SSL_REDIRECT`. You can customize the list of checks by setting the
+:ref:`SECURE_CHECKS` setting; you can just copy the default value and remove a
+check or two; you can also write your own :ref:`custom checks <custom-checks>`.
+
+.. _custom-checks:
+
+Writing custom check functions
+------------------------------
+
+A ``checksecure`` check function can be any Python function that takes no
+arguments and returns a Python iterable of warnings (an empty iterable if it
+finds nothing to warn about).
+
+Optionally, the function can have a ``messages`` attribute, which is a
+dictionary mapping short warning codes returned by the function (which will be
+displayed by ``checksecure`` if run with ``--verbosity=0``) to longer
+explanations which will be displayed by ``checksecure`` when running at its
+default verbosity level. For instance::
+
+ from django.conf import settings
+
+ def check_dont_let_the_bad_guys_in():
+ if settings.LET_THE_BAD_GUYS_IN:
+ return ["BAD_GUYS_LET_IN"]
+ return []
+
+ check_dont_let_the_bad_guys_in.messages = {
+ "BAD_GUYS_LET_IN": (
+ "Longer explanation of why it's a bad idea to let the bad guys in, "
+ "and how to correct the situation.")
+ }
View
225 doc/conf.py
@@ -0,0 +1,225 @@
+# -*- coding: utf-8 -*-
+#
+# django-secure documentation build configuration file, created by
+# sphinx-quickstart on Sun May 29 22:59:46 2011.
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#sys.path.insert(0, os.path.abspath('.'))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = []
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'django-secure'
+copyright = u'2011, Carl Meyer'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+
+from os.path import join, dirname
+def get_version():
+ fh = open(join(dirname(dirname(__file__)), "djangosecure", "__init__.py"))
+ try:
+ for line in fh.readlines():
+ if line.startswith("__version__ ="):
+ return line.split("=")[1].strip().strip('"')
+ finally:
+ fh.close()
+
+# The full version, including alpha/beta/rc tags.
+release = get_version()
+
+# The short X.Y version.
+version = ".".join(release.split(".")[:2])
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = ['_build']
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+html_theme = 'default'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further. For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents. If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar. Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+#html_static_path = ['_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it. The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'django-securedoc'
+
+
+# -- Options for LaTeX output --------------------------------------------------
+
+# The paper size ('letter' or 'a4').
+#latex_paper_size = 'letter'
+
+# The font size ('10pt', '11pt' or '12pt').
+#latex_font_size = '10pt'
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+ ('index', 'django-secure.tex', u'django-secure Documentation',
+ u'Carl Meyer', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Additional stuff for the LaTeX preamble.
+#latex_preamble = ''
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+ ('index', 'django-secure', u'django-secure Documentation',
+ [u'Carl Meyer'], 1)
+]
View
1  doc/credits.rst
@@ -0,0 +1 @@
+.. include:: ../AUTHORS.rst
View
24 doc/index.rst
@@ -0,0 +1,24 @@
+.. include:: ../README.rst
+ :end-before: end-here
+
+The Details
+===========
+
+.. toctree::
+ :maxdepth: 2
+
+ philosophy
+ middleware
+ checksecure
+ settings
+ changelog
+ todo
+ credits
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`modindex`
+* :ref:`search`
+
View
170 doc/make.bat
@@ -0,0 +1,170 @@
+@ECHO OFF
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+ set SPHINXBUILD=sphinx-build
+)
+set BUILDDIR=_build
+set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% .
+if NOT "%PAPER%" == "" (
+ set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
+)
+
+if "%1" == "" goto help
+
+if "%1" == "help" (
+ :help
+ echo.Please use `make ^<target^>` where ^<target^> is one of
+ echo. html to make standalone HTML files
+ echo. dirhtml to make HTML files named index.html in directories
+ echo. singlehtml to make a single large HTML file
+ echo. pickle to make pickle files
+ echo. json to make JSON files
+ echo. htmlhelp to make HTML files and a HTML help project
+ echo. qthelp to make HTML files and a qthelp project
+ echo. devhelp to make HTML files and a Devhelp project
+ echo. epub to make an epub
+ echo. latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter
+ echo. text to make text files
+ echo. man to make manual pages
+ echo. changes to make an overview over all changed/added/deprecated items
+ echo. linkcheck to check all external links for integrity
+ echo. doctest to run all doctests embedded in the documentation if enabled
+ goto end
+)
+
+if "%1" == "clean" (
+ for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
+ del /q /s %BUILDDIR%\*
+ goto end
+)
+
+if "%1" == "html" (
+ %SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The HTML pages are in %BUILDDIR%/html.
+ goto end
+)
+
+if "%1" == "dirhtml" (
+ %SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
+ goto end
+)
+
+if "%1" == "singlehtml" (
+ %SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
+ goto end
+)
+
+if "%1" == "pickle" (
+ %SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can process the pickle files.
+ goto end
+)
+
+if "%1" == "json" (
+ %SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can process the JSON files.
+ goto end
+)
+
+if "%1" == "htmlhelp" (
+ %SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can run HTML Help Workshop with the ^
+.hhp project file in %BUILDDIR%/htmlhelp.
+ goto end
+)
+
+if "%1" == "qthelp" (
+ %SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can run "qcollectiongenerator" with the ^
+.qhcp project file in %BUILDDIR%/qthelp, like this:
+ echo.^> qcollectiongenerator %BUILDDIR%\qthelp\django-secure.qhcp
+ echo.To view the help file:
+ echo.^> assistant -collectionFile %BUILDDIR%\qthelp\django-secure.ghc
+ goto end
+)
+
+if "%1" == "devhelp" (
+ %SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished.
+ goto end
+)
+
+if "%1" == "epub" (
+ %SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The epub file is in %BUILDDIR%/epub.
+ goto end
+)
+
+if "%1" == "latex" (
+ %SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
+ goto end
+)
+
+if "%1" == "text" (
+ %SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The text files are in %BUILDDIR%/text.
+ goto end
+)
+
+if "%1" == "man" (
+ %SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The manual pages are in %BUILDDIR%/man.
+ goto end
+)
+
+if "%1" == "changes" (
+ %SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.The overview file is in %BUILDDIR%/changes.
+ goto end
+)
+
+if "%1" == "linkcheck" (
+ %SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Link check complete; look for any errors in the above output ^
+or in %BUILDDIR%/linkcheck/output.txt.
+ goto end
+)
+
+if "%1" == "doctest" (
+ %SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Testing of doctests in the sources finished, look at the ^
+results in %BUILDDIR%/doctest/output.txt.
+ goto end
+)
+
+:end
View
98 doc/middleware.rst
@@ -0,0 +1,98 @@
+SecurityMiddleware
+==================
+
+The ``djangosecure.middleware.SecurityMiddleware`` performs three different
+tasks for you. Each one can be independently enabled or disabled with a
+setting.
+
+.. contents:: :local:
+
+.. _x-frame-options:
+
+X-Frame-Options: DENY
+---------------------
+
+`Clickjacking`_ attacks use layered frames to mislead users into clicking on a
+different link from the one they think they are clicking on. Fortunately, newer
+browsers support an ``X-Frame-Options`` header that allows you to limit or
+prevent the display of your pages within a frame. Valid options are "DENY" or
+"SAMEORIGIN" - the former prevents all framing of your site, and the latter
+allows only sites within the same domain to frame.
+
+Unless you have a need for frames, your best bet is to set "X-Frame-Options:
+DENY" -- and this is what ``SecurityMiddleware`` will do for all responses, if
+the :ref:`SECURE_FRAME_DENY` setting is ``True``.
+
+If you have a few pages that should be frame-able, you can set the
+"X-Frame-Options" header on the response to "SAMEORIGIN" in the view;
+``SecurityMiddleware`` will not override an already-present "X-Frame-Options"
+header. If you don't want the "X-Frame-Options" header on this view's response
+at all, decorate the view with the ``frame_deny_exempt`` decorator::
+
+ from djangosecure.decorators import frame_deny_exempt
+
+ @frame_deny_exempt
+ def my_view(request):
+ # ...
+
+.. _Clickjacking: http://www.sectheory.com/clickjacking.htm
+
+.. _http-strict-transport-security:
+
+HTTP Strict Transport Security
+------------------------------
+
+For sites that should only be accessed over HTTPS, you can instruct newer
+browsers to refuse to connect to your domain name via an insecure connection
+(for a given period of time) by setting the `"Strict-Transport-Security"
+header`_. This reduces your exposure to some SSL-stripping man-in-the-middle
+(MITM) attacks.
+
+``SecurityMiddleware`` will set this header for you on all HTTPS responses if
+you set the :ref:`SECURE_HSTS_SECONDS` setting to a nonzero integer value.
+
+.. warning::
+ The HSTS policy applies to your entire domain, not just the URL of the
+ response that you set the header on. Therefore, you should only use it if
+ your entire domain is served via HTTPS only.
+
+.. warning::
+ Browsers properly respecting the HSTS header will refuse to allow users to
+ bypass warnings and connect to a site with an expired, self-signed, or
+ otherwise invalid SSL certificate. If you use HSTS, make sure your
+ certificates are in good shape and stay that way!
+
+.. _"Strict-Transport-Security" header: http://en.wikipedia.org/wiki/Strict_Transport_Security
+
+.. _ssl-redirect:
+
+SSL Redirect
+------------
+
+If your site offers both HTTP and HTTPS connections, most users will end up on
+with an unsecured connection by default. For best security, you should redirect
+all HTTP connections to HTTPS.
+
+If you set the :ref:`SECURE_SSL_REDIRECT` setting to True,
+``SecurityMiddleware`` will permanently (HTTP 301) redirect all HTTP
+connections to HTTPS.
+
+.. note::
+ For performance reasons, it's preferable to do these redirects outside of
+ Django, in a front-end loadbalancer or reverse-proxy server such as
+ `nginx`_. In some deployment situations this isn't an option -
+ :ref:`SECURE_SSL_REDIRECT` is intended for those cases.
+
+If the :ref:`SECURE_SSL_HOST` setting has a value, all redirects will be sent
+to that host instead of the originally-requested host.
+
+If there are a few pages on your site that should be available over HTTP, and
+not redirected to HTTPS, you can list regular expressions to match those URLs
+in the :ref:`SECURE_REDIRECT_EXEMPT` setting.
+
+.. note::
+ If you are deployed behind a load-balancer or reverse-proxy server, and
+ Django can't seem to tell when a request actually is already secure, you
+ may need to set the :ref:`SECURE_PROXY_SSL_HEADER` setting.
+
+.. _nginx: http://nginx.org
View
10 doc/philosophy.rst
@@ -0,0 +1,10 @@
+Design Goals
+------------
+
+Django-secure does not make your site secure. It does not audit code, or do
+intrusion detection, or really do anything particularly interesting or
+complicated.
+
+Django-secure is an automated low-hanging-fruit checklist. Django-secure helps
+you remember the stupid simple things that improve your site's security,
+reminds you to do those easy things, and makes them as easy as possible to do.
View
99 doc/settings.rst
@@ -0,0 +1,99 @@
+Settings Reference
+==================
+
+.. contents:: :local:
+
+.. _SECURE_CHECKS:
+
+SECURE_CHECKS
+-------------
+
+A list of strings. Each string should be a Python dotted path to a function
+implementing a configuration check that will be run by the :doc:`checksecure
+management command <checksecure>`.
+
+Defaults to::
+
+ [
+ "djangosecure.check.sessions.check_session_cookie_secure",
+ "djangosecure.check.sessions.check_session_cookie_httponly",
+ "djangosecure.check.djangosecure.check_security_middleware",
+ "djangosecure.check.djangosecure.check_sts",
+ "djangosecure.check.djangosecure.check_frame_deny",
+ "djangosecure.check.djangosecure.check_ssl_redirect",
+ ]
+
+.. _SECURE_FRAME_DENY:
+
+SECURE_FRAME_DENY
+-----------------
+
+If set to ``True``, causes :doc:`middleware` to set the :ref:`x-frame-options`
+header on all responses that do not already have that header (and where the
+view was not decorated with the ``frame_deny_exempt`` decorator).
+
+Defaults to ``False``.
+
+.. _SECURE_HSTS_SECONDS:
+
+SECURE_HSTS_SECONDS
+-------------------
+
+If set to a non-zero integer value, causes :doc:`middleware` to set the
+:ref:`http-strict-transport-security` header on all responses that do not
+already have that header.
+
+Defaults to ``0``.
+
+.. _SECURE_PROXY_SSL_HEADER:
+
+SECURE_PROXY_SSL_HEADER
+-----------------------
+
+In some deployment scenarios, Django's ``request.is_secure()`` method returns
+``False`` even on requests that are actually secure, because the HTTPS
+connection is made to a front-end loadbalancer or reverse-proxy, and the
+internal proxied connection that Django sees is not HTTPS. Usually in these
+cases the proxy server provides an alternative header to indicate the secured
+external connection. This setting, if set, should be a tuple of ("header",
+"value"); if "header" is set to "value" in the request, django-secure will
+consider it a secure request. For example::
+
+ SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTOCOL", "https")
+
+Defaults to ``None``.
+
+.. _SECURE_REDIRECT_EXEMPT:
+
+SECURE_REDIRECT_EXEMPT
+----------------------
+
+Should be a list of regular expressions. Any URL path matching a regular
+expression in this list will not be redirected to HTTPS, if
+:ref:`SECURE_SSL_REDIRECT` is ``True`` (if it is ``False`` this setting has no
+effect).
+
+Defaults to ``[]``.
+
+.. _SECURE_SSL_HOST:
+
+SECURE_SSL_HOST
+---------------
+
+If set to a string (e.g. ``secure.example.com``), all SSL redirects will be
+directed to this host rather than the originally-requested host
+(e.g. ``www.example.com``). If :ref:`SECURE_SSL_REDIRECT` is ``False``, this
+setting has no effect.
+
+Defaults to ``None``.
+
+.. _SECURE_SSL_REDIRECT:
+
+SECURE_SSL_REDIRECT
+-------------------
+
+If set to ``True``, causes :doc:`middleware` to :ref:`redirect <ssl-redirect>`
+all non-HTTPS requests to HTTPS (except for those URLs matching a regular
+expression listed in :ref:`SECURE_REDIRECT_EXEMPT`).
+
+Defaults to ``False``.
View
1  doc/todo.rst
@@ -0,0 +1 @@
+.. include:: ../TODO.rst
View
2  setup.py
@@ -13,7 +13,7 @@ def get_version():
try:
for line in fh.readlines():
if line.startswith("__version__ ="):
- return line.split("=")[1].strip()
+ return line.split("=")[1].strip().strip('"')
finally:
fh.close()
Please sign in to comment.
Something went wrong with that request. Please try again.