New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New warning message during modoboa upgrade #1592

Open
stefaweb opened this Issue Oct 16, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@stefaweb

stefaweb commented Oct 16, 2018

Hello!

During the upgrade to modoboa 1.11.1, contacts 0.7.2 and webmail 1.5.0, I got a new warning message.

(env) modoboa@mailhub:~/instance$ python manage.py check --deploy
System check identified some issues:

WARNINGS:
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.

System check identified 3 issues (1 silenced).

Previous upgrade was not printing these messages.

@Tibase

This comment has been minimized.

Tibase commented Oct 24, 2018

Hello,

I have the same warnings messages after update from 1.10.6

@tonioo tonioo added the enhancement label Nov 20, 2018

@Schokobecher

This comment has been minimized.

Schokobecher commented Nov 27, 2018

same here - 1.10. to 1.12.2

(env) modoboa@mail:~/instance$ python2 manage.py check --deploy
System check identified some issues:

WARNINGS:
?: (modoboa-amavis.W001) AMAVIS_DEFAULT_DATABASE_ENCODING does not match the character encoding used by the Amavis database.
HINT: Check your database character encoding and set/update AMAVIS_DEFAULT_DATABASE_ENCODING.
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.

@tonioo tonioo added this to the 1.13.0 milestone Nov 28, 2018

tonioo added a commit that referenced this issue Nov 28, 2018

@tonioo

This comment has been minimized.

Member

tonioo commented Nov 28, 2018

I've just pushed a fix for security.W012 and security.W016.
More information about security.W001 can be found here: https://docs.djangoproject.com/en/1.11/ref/middleware/#module-django.middleware.security.
@Schokobecher About modoboa-amavis.W001, you must adjust your configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment