Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Define Content-Security-Policy header to block inline JavaScript
also define the same headers in middleware during testing and
development to avoid building a container for every change
  • Loading branch information
atodorov committed Mar 8, 2023
1 parent ba358cb commit 6617cee
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 1 deletion.
2 changes: 2 additions & 0 deletions etc/nginx.conf
Expand Up @@ -62,8 +62,10 @@ http {
server unix:///tmp/kiwitcms.sock;
}

# WARNING: make sure these match tcms.core.middleware.ExtraHeadersMiddleware
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "script-src 'self' cdn.crowdin.com;";

server {
listen 8080;
Expand Down
17 changes: 17 additions & 0 deletions tcms/core/middleware.py
Expand Up @@ -18,3 +18,20 @@ def process_request(self, request):
# Redirect to Setup view
return HttpResponseRedirect(reverse("init-db"))
return None


class ExtraHeadersMiddleware(MiddlewareMixin):
"""
This is enabled only during testing and development. The actual headers
are configured in `etc/nginx.conf`!
"""

def process_response(self, request, response):
if settings.DEBUG:
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers[
"Content-Security-Policy"
] = "script-src 'self' cdn.crowdin.com;"

return response
5 changes: 4 additions & 1 deletion tcms/settings/devel.py
Expand Up @@ -30,7 +30,10 @@
}
# django-debug-toolbar settings

MIDDLEWARE += ["debug_toolbar.middleware.DebugToolbarMiddleware"] # noqa: F405
MIDDLEWARE += [ # noqa: F405
"debug_toolbar.middleware.DebugToolbarMiddleware",
"tcms.core.middleware.ExtraHeadersMiddleware",
]

INSTALLED_APPS += ["debug_toolbar"] # noqa: F405

Expand Down
4 changes: 4 additions & 0 deletions tests/test_http.sh
Expand Up @@ -87,6 +87,10 @@ _EOF_
rlRun -t -c "curl -k -D- https://localhost 2>/dev/null | grep 'X-Content-Type-Options: nosniff'"
rlPhaseEnd

rlPhaseStartTest "Should send Content-Security-Policy header"
rlRun -t -c "curl -k -D- https://localhost 2>/dev/null | grep $'Content-Security-Policy: script-src \'self\' cdn.crowdin.com;'"
rlPhaseEnd

rlPhaseStartTest "Performance baseline for /accounts/register/"
exec_wrk "https://localhost/accounts/login/" "$WRK_DIR" "register-account-page"
rlPhaseEnd
Expand Down

0 comments on commit 6617cee

Please sign in to comment.