diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 2a5d1f617d90..9cfc3350d501 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -453,6 +453,17 @@ "CELERY", ] +SILENCED_SYSTEM_CHECKS = [ + # We use our own subclass of django.middleware.csrf.CsrfViewMiddleware + "security.W003", + # We don't set SESSION_COOKIE_SECURE since we use a custom SessionMiddleware subclass + "security.W010", + # HSTS: This is configured in reverse proxies/the go proxy, not in django + "security.W004", + # https redirect: This is configured in reverse proxies/the go proxy, not in django + "security.W008", +] + def _update_settings(app_path: str): try: diff --git a/lifecycle/ak b/lifecycle/ak index f73d46b15ed1..a66662181759 100755 --- a/lifecycle/ak +++ b/lifecycle/ak @@ -50,10 +50,6 @@ function set_mode { trap cleanup EXIT } -function run_django_checks { - python -m manage check --deploy -} - function cleanup { rm -f ${MODE_FILE} } diff --git a/lifecycle/migrate.py b/lifecycle/migrate.py index 590568c09385..489ffa909a27 100755 --- a/lifecycle/migrate.py +++ b/lifecycle/migrate.py @@ -111,5 +111,8 @@ def release_lock(cursor: Cursor): ) from exc execute_from_command_line(["", "migrate_schemas"]) execute_from_command_line(["", "migrate_schemas", "--schema", "template", "--tenant"]) + execute_from_command_line( + ["", "check"] + ([] if CONFIG.get_bool("debug") else ["--deploy"]) + ) finally: release_lock(curr) diff --git a/website/docs/installation/reverse-proxy.md b/website/docs/installation/reverse-proxy.md index c123e4b183b0..5b7b0cdafb34 100644 --- a/website/docs/installation/reverse-proxy.md +++ b/website/docs/installation/reverse-proxy.md @@ -48,6 +48,8 @@ server { ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + # Proxy site location / { proxy_pass https://authentik;