Secure Heroku

[UmarGit]

Making Heroku Secure

We need to setup some config vars as:

• DJANGO_DEBUG : Set its value as False to run the app in production, this will also resolve the check deploy issues
• ALLOWED_HOSTS : Set its value by adding multiple hosts as ( separating each host by a space )host1 host2 host3
• ADMIN_PATH : Set its value to make the admin path as secure as you prefer the best.

Note: I had made the configuration to work on both locally and remotely, perfectly. 😄

That's all I had done @enoren5 brother,

Best Regards,
Umar Ahmed

[enoren5]

It runs really well! Here it is deployed to my Heroku server: https://tarot-prod.herokuapp.com/

Thanks, @UmarGit!

However I noticed a few things, such as the local test dev server now throws an ssl error. Here is part of the error:

[12/Mar/2021 14:16:54] code 400, message Bad request version ('\x8a\x8a\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x01\x93')
[12/Mar/2021 14:16:54] You're accessing the development server over HTTPS, but it only supports HTTP.

When I Google this bad request, other Django users seem to encounter this message when trying to access the Django web server over https. More here. Switching back to http is the answer according to Stack Overflow work however when switch from https to http, my web browser (Firefox and Chrome) all redirect automatically to https. Why is my local django dev server encountering a bad request and how do I run my local server over https without encountering an ssl error?

Here is:

(local venv) $ echo $DJANGO_DEBUG        
True

I was sure to test with both postgres and db.sqlite3. Same issue. Is the source of this problem lines 165 and 166 in settings.py?

[enoren5]

I've also identified two minor bugs with the new timeout feature:

1. Refreshing the gateway increments attempts by 1 even when the web visitor hasn’t entered anything. This needs to be corrected so that when the page refreshes, the attempts variable does not increment.
2. Once the attempts reaches the maxAttempts, the web visitor is locked out. This is good. However if the web visitor enters a correct passphrase, then clicks “Logout” on /portal, then the gateway web page still counts that correct passphrase as an incorrect attempt. This needs to be corrected so that after the web visitor enters a correct passphrase, then the timer should reset back up to maxAttempts.

[enoren5]

By the way, I've made some changes to your files so you may need to rebase against my master branch.

[enoren5]

I have DJANGO_DEBUG set to False as a config var. Yet Django on Heroku is still failing the security check:

(remote) $ python manage.py check --deploy

WARNINGS:
?: (security.W005) You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True if you are certain that all subdomains of your domain should be served exclusively via SSL.
?: (security.W009) Your SECRET_KEY has less than 50 characters or less than 5 unique characters. Please generate a long and random SECRET_KEY, otherwise many of Django's security-critical features will be vulnerable to attack.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W021) You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, your site cannot be submitted to the browser preload list.

System check identified 4 issues (0 silenced).
(remote)  $ echo $DJANGO_DEBUG

(remote)  $ echo $DATABASE_URL

My SECRET_KEY is longer than 50 characters. I checked the config var in Heroku.

It also looks like Heroku is defaulting to db.sqlite3 as well. I feel like I am overlooking something really trivial. I apologize for my newbie questions.

[UmarGit]

It runs really well! Here it is deployed to my Heroku server: https://tarot-prod.herokuapp.com/

Thanks, @UmarGit!

However I noticed a few things, such as the local test dev server now throws an ssl error. Here is part of the error:

[12/Mar/2021 14:16:54] code 400, message Bad request version ('\x8a\x8a\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x01\x93')
[12/Mar/2021 14:16:54] You're accessing the development server over HTTPS, but it only supports HTTP.

When I Google this bad request, other Django users seem to encounter this message when trying to access the Django web server over https. More here. Switching back to http is the answer according to Stack Overflow work however when switch from https to http, my web browser (Firefox and Chrome) all redirect automatically to https. Why is my local django dev server encountering a bad request and how do I run my local server over https without encountering an ssl error?

Here is:

(local venv) $ echo $DJANGO_DEBUG        
True

I was sure to test with both postgres and db.sqlite3. Same issue. Is the source of this problem lines 165 and 166 in settings.py?

That's because, you may have DJANGO_DEBUG env variable on local machine having value of False, this opens a condition for secure ssl redirect as:

if os.environ.get('DJANGO_DEBUG', '') != 'False':       # When DJANGO_DEBUG=<any value other than False>

    # There are used on local environment
    DEBUG = True
    SECURE_HSTS_SECONDS = 10
    SECURE_SSL_REDIRECT = False
    SESSION_COOKIE_SECURE = False
    CSRF_COOKIE_SECURE = False
else:                                                   # When DJANGO_DEBUG=False
    
    # These are the django checks to be enabled on production
    DEBUG = False
    SECURE_HSTS_SECONDS = 10
    SECURE_SSL_REDIRECT = True
    SESSION_COOKIE_SECURE = True
    CSRF_COOKIE_SECURE = True

In a local environment, we must need to unset the DJANGO_DEBUG variable. You also need to clear cache of the browser also

[enoren5]

In a local environment, we must need to unset the DJANGO_DEBUG variable. You also need to clear cache of the browser also

In my local venv, I ran: $ unset DJANGO_DEBUG . Then I ran the server. I continue to receive this output:

[13/Mar/2021 00:12:50] code 400, message Bad request version ('XâF0S\x8b¨ÿö°ú´M\x83ßç\x00"ªª\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Mar/2021 00:12:50] You're accessing the development server over HTTPS, but it only supports HTTP.

I also cleared the cookies and the cache yet https://127.0.0.1:8000/ as well as localhost:8000 continues to show: "ERR_CONNECTION_REFUSED"

[UmarGit]

In a local environment, we must need to unset the DJANGO_DEBUG variable. You also need to clear cache of the browser also

In my local venv, I ran: $ unset DJANGO_DEBUG . Then I ran the server. I continue to receive this output:

[13/Mar/2021 00:12:50] code 400, message Bad request version ('XâF0S\x8b¨ÿö°ú´M\x83ßç\x00"ªª\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Mar/2021 00:12:50] You're accessing the development server over HTTPS, but it only supports HTTP.

I also cleared the cookies and the cache yet https://127.0.0.1:8000/ as well as localhost:8000 continues to show: "ERR_CONNECTION_REFUSED"

@enoren5 , please clear your browser cache then go to http://127.0.0.1:8000

[enoren5]

In a local environment, we must need to unset the DJANGO_DEBUG variable. You also need to clear cache of the browser also

In my local venv, I ran: $ unset DJANGO_DEBUG . Then I ran the server. I continue to receive this output:

[13/Mar/2021 00:12:50] code 400, message Bad request version ('XâF0S\x8b¨ÿö°ú´M\x83ßç\x00"ªª\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Mar/2021 00:12:50] You're accessing the development server over HTTPS, but it only supports HTTP.

I also cleared the cookies and the cache yet https://127.0.0.1:8000/ as well as localhost:8000 continues to show: "ERR_CONNECTION_REFUSED"

@enoren5 , please clear your browser cache then go to http://127.0.0.1:8000

I cleared my browser cache and cookies in Firefox, Edge, Opera and mindfully (very carefully and deliberately) opened a new tab in each web browser and navigated to http://127.0.0.1:8000 (not https://) and Django is still showing an SSL error. I've documented all of that here: https://youtu.be/F3oczR5o3Go

[UmarGit]

In a local environment, we must need to unset the DJANGO_DEBUG variable. You also need to clear cache of the browser also

In my local venv, I ran: $ unset DJANGO_DEBUG . Then I ran the server. I continue to receive this output:

[13/Mar/2021 00:12:50] code 400, message Bad request version ('XâF0S\x8b¨ÿö°ú´M\x83ßç\x00"ªª\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Mar/2021 00:12:50] You're accessing the development server over HTTPS, but it only supports HTTP.

I also cleared the cookies and the cache yet https://127.0.0.1:8000/ as well as localhost:8000 continues to show: "ERR_CONNECTION_REFUSED"

@enoren5 , please clear your browser cache then go to http://127.0.0.1:8000

I cleared my browser cache and cookies in Firefox, Edge, Opera and mindfully (very carefully and deliberately) opened a new tab in each web browser and navigated to http://127.0.0.1:8000 (not https://) and Django is still showing an SSL error. I've documented all of that here: https://youtu.be/F3oczR5o3Go

@enoren5, I see you had made some changes in the settings.py file.

[UmarGit]

Because of that some variables are mis-configured as:

    SECURE_SSL_REDIRECT = False
    SESSION_COOKIE_SECURE = False
    CSRF_COOKIE_SECURE = False

These variables needs to be falsed on local environment.

[enoren5]

Lines 40-42 read as follows:

tarot_juicer/tarot_juicer/settings.py

Lines 40 to 42 in 5cb3639

	SECURE_SSL_REDIRECT = False
	SESSION_COOKIE_SECURE = False
	CSRF_COOKIE_SECURE = False

Since SSL/cookie security is irrelevant when testing locally, it would make sense for these to be declared as 'False'. You added these variables and I did not change these.

The only major change I made to settings.py was line 36:

tarot_juicer/tarot_juicer/settings.py

Line 36 in 5cb3639

if os.environ.get('DJANGO_DEBUG', '') == 'True':

In your version you used the double negation != 'False' at line 36 which I felt was redundant and might be a little easier to read so I changed it to ='True'. I have since changed it back to != 'False'. There is still an SSL error in Chrome and Django continues to show this trace back:

[15/Mar/2021 01:04:07] You're accessing the development server over HTTPS, but it only supports HTTP.

The http://localhost:8000 seems to work intermittently in Firefox and Opera but it is still not working at all in Edge or Chrome.

One Stack Exchange contributor suggests navigating to chrome://net-internals/#hsts and entering deleting domain security policies by entering the domain and then pressing the Delete button. These were the four domains I entered (and deleted):

http://localhost:8000
https://localhost:8000
https://127.0.0.1:8000
http://127.0.0.1:8000

Next I went to chrome://settings/clearBrowserData and deleted everything.

I closed Chrome and re-opened it.

The Django dev server is still broken.

In my last ditch effort I spun up a live [ngrok[(https://ngrok.com/) mirror of my local dev server and Django seems to be running OK. You can see them here:
http://2e15e3e759bb.ngrok.io
https://2e15e3e759bb.ngrok.io

If you visit those links in Chrome it should work.

So at this point, the problem is not with the Python code by @UmarGit but with a local setting in my Chrome browser configuration which I'll continue to troubleshoot in my spare time and maybe extend as a new proposal on Upwork at a later date if necessary.

Thanks @UmarGit for your patience while I struggle with configuring and managing this SSL issue in my Chrome web browser.

What remains outstanding are the other elements to the original Upwork contract as outlined in GitHub issue #83.