New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Heroku #87
Secure Heroku #87
Conversation
Secure Heroku
It runs really well! Here it is deployed to my Heroku server: https://tarot-prod.herokuapp.com/ Thanks, @UmarGit! However I noticed a few things, such as the local test dev server now throws an ssl error. Here is part of the error:
When I Google this bad request, other Django users seem to encounter this message when trying to access the Django web server over https. More here. Switching back to http is the answer according to Stack Overflow work however when switch from https to http, my web browser (Firefox and Chrome) all redirect automatically to https. Why is my local django dev server encountering a bad request and how do I run my local server over https without encountering an ssl error? Here is:
I was sure to test with both postgres and db.sqlite3. Same issue. Is the source of this problem lines 165 and 166 in |
I've also identified two minor bugs with the new timeout feature:
|
By the way, I've made some changes to your files so you may need to rebase against my |
I have DJANGO_DEBUG set to False as a config var. Yet Django on Heroku is still failing the security check:
My SECRET_KEY is longer than 50 characters. I checked the config var in Heroku. It also looks like Heroku is defaulting to db.sqlite3 as well. I feel like I am overlooking something really trivial. I apologize for my newbie questions. |
That's because, you may have if os.environ.get('DJANGO_DEBUG', '') != 'False': # When DJANGO_DEBUG=<any value other than False>
# There are used on local environment
DEBUG = True
SECURE_HSTS_SECONDS = 10
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False
else: # When DJANGO_DEBUG=False
# These are the django checks to be enabled on production
DEBUG = False
SECURE_HSTS_SECONDS = 10
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True In a local environment, we must need to unset the
|
In my local venv, I ran:
I also cleared the cookies and the cache yet |
@enoren5 , please clear your
|
I cleared my browser cache and cookies in Firefox, Edge, Opera and mindfully (very carefully and deliberately) opened a new tab in each web browser and navigated to |
@enoren5, I see you had made some changes in the |
Because of that some variables are mis-configured as: SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False These variables needs to be falsed on local environment. |
Lines 40-42 read as follows: tarot_juicer/tarot_juicer/settings.py Lines 40 to 42 in 5cb3639
Since SSL/cookie security is irrelevant when testing locally, it would make sense for these to be declared as 'False'. You added these variables and I did not change these. The only major change I made to tarot_juicer/tarot_juicer/settings.py Line 36 in 5cb3639
In your version you used the double negation
The One Stack Exchange contributor suggests navigating to
Next I went to I closed Chrome and re-opened it. The Django dev server is still broken. In my last ditch effort I spun up a live [ngrok[(https://ngrok.com/) mirror of my local dev server and Django seems to be running OK. You can see them here: If you visit those links in Chrome it should work. So at this point, the problem is not with the Python code by @UmarGit but with a local setting in my Chrome browser configuration which I'll continue to troubleshoot in my spare time and maybe extend as a new proposal on Upwork at a later date if necessary. Thanks @UmarGit for your patience while I struggle with configuring and managing this SSL issue in my Chrome web browser. What remains outstanding are the other elements to the original Upwork contract as outlined in GitHub issue #83. |
Making Heroku Secure
We need to setup some config vars as:
DJANGO_DEBUG
: Set its value asFalse
to run the app in production, this will also resolve thecheck deploy issues
ALLOWED_HOSTS
: Set its value by adding multiple hosts as ( separating each host by a space )host1 host2 host3
ADMIN_PATH
: Set its value to make the admin path as secure as you prefer the best.That's all I had done @enoren5 brother,
Best Regards,
Umar Ahmed