Enhance website security and add SEO meta tags for better visibility

Implement robust security headers, including CSP with nonces, and integrate comprehensive SEO meta tags into the base template and homepage. Add inline styles for CSP compliance and improve theme management script for immediate theme application. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 48ecdb60-d0f0-4b75-95c9-34e409ef35fb Replit-Commit-Checkpoint-Type: intermediate_checkpoint
2025-12-20 05:51:08 -05:00 · 2025-09-22 16:06:47 +00:00
parent 95f94cc799
commit 6697d8890b
9 changed files with 315 additions and 52 deletions
--- a/apps/core/middleware/security_headers.py
+++ b/apps/core/middleware/security_headers.py
@@ -0,0 +1,97 @@
+"""
+Modern Security Headers Middleware for ThrillWiki
+Implements Content Security Policy and other modern security headers.
+"""
+
+import secrets
+import base64
+from django.conf import settings
+from django.utils.deprecation import MiddlewareMixin
+
+
+class SecurityHeadersMiddleware(MiddlewareMixin):
+    """
+    Middleware to add modern security headers to all responses.
+    """
+
+    def _generate_nonce(self):
+        """Generate a cryptographically secure nonce for CSP."""
+        # Generate 16 random bytes and encode as base64
+        return base64.b64encode(secrets.token_bytes(16)).decode('ascii')
+
+    def _modify_csp_with_nonce(self, csp_policy, nonce):
+        """Modify CSP policy to include nonce for script-src."""
+        if not csp_policy:
+            return csp_policy
+        
+        # Look for script-src directive and add nonce
+        directives = csp_policy.split(';')
+        modified_directives = []
+        
+        for directive in directives:
+            directive = directive.strip()
+            if directive.startswith('script-src '):
+                # Add nonce to script-src directive
+                directive += f" 'nonce-{nonce}'"
+            modified_directives.append(directive)
+        
+        return '; '.join(modified_directives)
+
+    def process_request(self, request):
+        """Generate and store nonce for this request."""
+        # Generate a nonce for this request
+        nonce = self._generate_nonce()
+        # Store it in request so templates can access it
+        request.csp_nonce = nonce
+        return None
+
+    def process_response(self, request, response):
+        """Add security headers to the response."""
+        
+        # Content Security Policy with nonce support
+        if hasattr(settings, 'SECURE_CONTENT_SECURITY_POLICY'):
+            csp_policy = settings.SECURE_CONTENT_SECURITY_POLICY
+            # Apply nonce if we have one for this request
+            if hasattr(request, 'csp_nonce'):
+                csp_policy = self._modify_csp_with_nonce(csp_policy, request.csp_nonce)
+            response['Content-Security-Policy'] = csp_policy
+        
+        # Cross-Origin Opener Policy
+        if hasattr(settings, 'SECURE_CROSS_ORIGIN_OPENER_POLICY'):
+            response['Cross-Origin-Opener-Policy'] = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
+        
+        # Referrer Policy
+        if hasattr(settings, 'SECURE_REFERRER_POLICY'):
+            response['Referrer-Policy'] = settings.SECURE_REFERRER_POLICY
+        
+        # Permissions Policy
+        if hasattr(settings, 'SECURE_PERMISSIONS_POLICY'):
+            response['Permissions-Policy'] = settings.SECURE_PERMISSIONS_POLICY
+        
+        # Additional security headers
+        response['X-Content-Type-Options'] = 'nosniff'
+        response['X-Frame-Options'] = getattr(settings, 'X_FRAME_OPTIONS', 'DENY')
+        response['X-XSS-Protection'] = '1; mode=block'
+        
+        # Cache Control headers for better performance
+        # Prevent caching of HTML pages to ensure users get fresh content
+        if response.get('Content-Type', '').startswith('text/html'):
+            response['Cache-Control'] = 'no-cache, no-store, must-revalidate'
+            response['Pragma'] = 'no-cache'
+            response['Expires'] = '0'
+        
+        # Strict Transport Security (if SSL is enabled)
+        if getattr(settings, 'SECURE_SSL_REDIRECT', False):
+            hsts_seconds = getattr(settings, 'SECURE_HSTS_SECONDS', 31536000)
+            hsts_include_subdomains = getattr(settings, 'SECURE_HSTS_INCLUDE_SUBDOMAINS', True)
+            hsts_preload = getattr(settings, 'SECURE_HSTS_PRELOAD', False)
+            
+            hsts_header = f'max-age={hsts_seconds}'
+            if hsts_include_subdomains:
+                hsts_header += '; includeSubDomains'
+            if hsts_preload:
+                hsts_header += '; preload'
+            
+            response['Strict-Transport-Security'] = hsts_header
+        
+        return response