From ba141e6906a32683a9a4ae7059351fa951b6470b Mon Sep 17 00:00:00 2001 From: David Fischer Date: Thu, 6 Sep 2012 15:13:31 -0400 Subject: [PATCH 1/3] Added note about Strict Transport Security (HSTS) --- docs/topics/security.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 151853d4ac..4589d01fd4 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -147,6 +147,14 @@ server, there are some additional steps you may need: any POST data being accepted over HTTP (which will be fine if you are redirecting all HTTP traffic to HTTPS). +* Use HTTP Strict Transport Security (HSTS) + + HSTS is an HTTP header that informs a browser that all future connections + to a particular site should always use HTTPS. Combined with redirecting + requests over HTTP to HTTPS, this will ensure that connections always enjoy + the added security of SSL provided one successful connection has occurred. + HSTS is usually configured on the web server. + .. _additional-security-topics: Host headers and virtual hosting From c65100248ddc4c305487013846b9fd343f7f3078 Mon Sep 17 00:00:00 2001 From: David Fischer Date: Thu, 6 Sep 2012 16:08:14 -0400 Subject: [PATCH 2/3] Added CSRF with HTTPS/HSTS and forwarding note --- docs/topics/security.txt | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 4589d01fd4..797ab0b594 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -76,9 +76,17 @@ POST to your Web site and have another logged in user unwittingly submit that form. The malicious user would have to know the nonce, which is user specific (using a cookie). +When deployed with :ref:`HTTPS `, +``CsrfViewMiddleware`` will check that the HTTP referer header is set to a +URL on the same origin (including subdomain and port). Because HTTPS +provides additional security, it is imperative to ensure connections use HTTPS +where it is available by forwarding insecure connection requests and using +HSTS for supported browsers. + Be very careful with marking views with the ``csrf_exempt`` decorator unless it is absolutely necessary. + SQL injection protection ======================== @@ -112,6 +120,8 @@ The middleware is strongly recommended for any site that does not need to have its pages wrapped in a frame by third party sites, or only needs to allow that for a small section of the site. +.. _security-recommendation-ssl: + SSL/HTTPS ========= @@ -155,7 +165,7 @@ server, there are some additional steps you may need: the added security of SSL provided one successful connection has occurred. HSTS is usually configured on the web server. -.. _additional-security-topics: +.. _host-headers-virtual-hosting: Host headers and virtual hosting ================================ @@ -175,6 +185,8 @@ recommend you ensure your Web server is configured such that: Additionally, as of 1.3.1, Django requires you to explicitly enable support for the ``X-Forwarded-Host`` header if your configuration requires it. +.. _additional-security-topics: + Additional security topics ========================== From 58786897a1e3ef5d31134cb0870a321425d56fea Mon Sep 17 00:00:00 2001 From: David Fischer Date: Thu, 6 Sep 2012 16:10:08 -0400 Subject: [PATCH 3/3] Formatting fix for host headers section --- docs/topics/security.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 797ab0b594..0a3c6bff02 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -176,11 +176,11 @@ Site Scripting attacks, they can be used for Cross-Site Request Forgery and cache poisoning attacks in some circumstances. We recommend you ensure your Web server is configured such that: - * It always validates incoming HTTP ``Host`` headers against the expected - host name. - * Disallows requests with no ``Host`` header. - * Is *not* configured with a catch-all virtual host that forwards requests - to a Django application. +* It always validates incoming HTTP ``Host`` headers against the expected + host name. +* Disallows requests with no ``Host`` header. +* Is *not* configured with a catch-all virtual host that forwards requests + to a Django application. Additionally, as of 1.3.1, Django requires you to explicitly enable support for the ``X-Forwarded-Host`` header if your configuration requires it.