1243036 - Fix issues identified by ./.manage.py check --deploy

Status: RESOLVED FIXED

(developer.mozilla.org Graveyard :: BrowserCompat, defect)

Description

[John Whitlock [:jwhitlock]]

What did you do?
================
1. Run heroku run --app browsercompat "./manage.py check --deploy"


What happened?
==============
Security warnings issued:

?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE_CLASSES so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.
?: (security.W009) Your SECRET_KEY has less than 50 characters or less than 5 unique characters. Please generate a long and random SECRET_KEY, otherwise many of Django's security-critical features will be vulnerable to attack.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.

What should have happened?
==========================
No warnings identified.

Is there anything else we should know?
======================================
Security settings may impact the contribution and moderation interface, or other applications working against the API.  These other application may need to be changed once the new secure code is live in production.

API tests may use an insecure cookie to test authenticated calls, and may need adjustments to continue working.

SECRET_KEY comes from the Heroku environment, but may invalidate current sessions.

Comment 1

[John Whitlock [:jwhitlock]]

PR 94 added the SecurityMiddleware with configuration from environment:

https://github.com/mdn/browsercompat/pull/94

Updated the configuration for browsercompat.herokuapp.com:

SECRET_KEY - new long key
SECURE_HSTS_SECONDS - set to 1 hour
SECURE_CONTENT_TYPE_NOSNIFF - enabled
X_FRAME_OPTIONS - set to DENY
CSRF_COOKIE_HTTPONLY - enabled
CSRF_COOKIE_SECURE - enabled
SESSION_COOKIE_SECURE - enabled
SECURE_SSL_REDIRECT - enabled
SECURE_BROWSER_XSS_FILTER - enabled

I had to log in again, as expected, but the site appears to work, and a quick API update script worked as well.

./manage.py check --deploy has this remaining warning:

?: (security.W005) You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True if you are certain that all subdomains of your domain should be served exclusively via SSL.

This seems inappropriate on Heroku, so I'm leaving it unset.

Comment 2

[Will Kahn-Greene [:willkg] ET needinfo? me]

For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.