root: fix system check warnings

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
goauthentik · Jan 23, 2024 · 9d1dbe4 · 9d1dbe4
1 parent ff5d15b
commit 9d1dbe4
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/authentik/root/settings.py b/authentik/root/settings.py
@@ -453,6 +453,17 @@
     "CELERY",
 ]
 
+SILENCED_SYSTEM_CHECKS = [
+    # We use our own subclass of django.middleware.csrf.CsrfViewMiddleware
+    "security.W003",
+    # We don't set SESSION_COOKIE_SECURE since we use a custom SessionMiddleware subclass
+    "security.W010",
+    # HSTS: This is configured in reverse proxies/the go proxy, not in django
+    "security.W004",
+    # https redirect: This is configured in reverse proxies/the go proxy, not in django
+    "security.W008",
+]
+
 
 def _update_settings(app_path: str):
     try:

diff --git a/lifecycle/ak b/lifecycle/ak
@@ -50,10 +50,6 @@ function set_mode {
     trap cleanup EXIT
 }
 
-function run_django_checks {
-    python -m manage check --deploy
-}
-
 function cleanup {
     rm -f ${MODE_FILE}
 }

diff --git a/lifecycle/migrate.py b/lifecycle/migrate.py
@@ -111,5 +111,8 @@ def release_lock(cursor: Cursor):
             ) from exc
         execute_from_command_line(["", "migrate_schemas"])
         execute_from_command_line(["", "migrate_schemas", "--schema", "template", "--tenant"])
+        execute_from_command_line(
+            ["", "check"] + ([] if CONFIG.get_bool("debug") else ["--deploy"])
+        )
     finally:
         release_lock(curr)
diff --git a/website/docs/installation/reverse-proxy.md b/website/docs/installation/reverse-proxy.md
@@ -48,6 +48,8 @@ server {
     ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
 
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
     # Proxy site
     location / {
         proxy_pass https://authentik;