pacnpal/thrillwiki_django_no_react
1
1
Fork 0
mirror of https://github.com/pacnpal/thrillwiki_django_no_react.git synced 2025-12-20 15:31:08 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
41b3c86437df5271462e0db4e141597df276f1af
thrillwiki_django_no_react/config/settings/security.py
pac7 6697d8890b Enhance website security and add SEO meta tags for better visibility 
Implement robust security headers, including CSP with nonces, and integrate comprehensive SEO meta tags into the base template and homepage. Add inline styles for CSP compliance and improve theme management script for immediate theme application.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 48ecdb60-d0f0-4b75-95c9-34e409ef35fb
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
2025-09-22 16:06:47 +00:00

71 lines
2.7 KiB
Python
Raw Blame History

"""
Security configuration for thrillwiki project.
"""
import environ
env = environ.Env()
# Cloudflare Turnstile settings
TURNSTILE_SITE_KEY = env("TURNSTILE_SITE_KEY", default="")
TURNSTILE_SECRET_KEY = env("TURNSTILE_SECRET_KEY", default="")
TURNSTILE_VERIFY_URL = env(
"TURNSTILE_VERIFY_URL",
default="https://challenges.cloudflare.com/turnstile/v0/siteverify",
)
# Security headers and settings (for production)
SECURE_BROWSER_XSS_FILTER = env.bool("SECURE_BROWSER_XSS_FILTER", default=True)
SECURE_CONTENT_TYPE_NOSNIFF = env.bool("SECURE_CONTENT_TYPE_NOSNIFF", default=True)
SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool(
"SECURE_HSTS_INCLUDE_SUBDOMAINS", default=True
)
SECURE_HSTS_SECONDS = env.int("SECURE_HSTS_SECONDS", default=31536000) # 1 year
SECURE_REDIRECT_EXEMPT = env.list("SECURE_REDIRECT_EXEMPT", default=[])
SECURE_SSL_REDIRECT = env.bool("SECURE_SSL_REDIRECT", default=False)
SECURE_PROXY_SSL_HEADER = env.tuple("SECURE_PROXY_SSL_HEADER", default=None)
# Session security
SESSION_COOKIE_SECURE = env.bool("SESSION_COOKIE_SECURE", default=False)
SESSION_COOKIE_HTTPONLY = env.bool("SESSION_COOKIE_HTTPONLY", default=True)
SESSION_COOKIE_SAMESITE = env("SESSION_COOKIE_SAMESITE", default="Lax")
# CSRF security
CSRF_COOKIE_SECURE = env.bool("CSRF_COOKIE_SECURE", default=False)
CSRF_COOKIE_HTTPONLY = env.bool("CSRF_COOKIE_HTTPONLY", default=True)
CSRF_COOKIE_SAMESITE = env("CSRF_COOKIE_SAMESITE", default="Lax")
# Content Security Policy (CSP) - Tightened security without unsafe directives
SECURE_CONTENT_SECURITY_POLICY = env(
"SECURE_CONTENT_SECURITY_POLICY",
default=(
"default-src 'self'; "
"script-src 'self' "
"https://unpkg.com https://cdnjs.cloudflare.com; "
"style-src 'self' "
"https://fonts.googleapis.com https://cdnjs.cloudflare.com; "
"img-src 'self' data: https: blob:; "
"font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; "
"connect-src 'self'; "
"media-src 'self'; "
"object-src 'none'; "
"frame-src 'none'; "
"worker-src 'self'; "
"manifest-src 'self'; "
"base-uri 'self'; "
"form-action 'self'; "
"upgrade-insecure-requests;"
)
)
# Additional modern security headers
SECURE_CROSS_ORIGIN_OPENER_POLICY = env("SECURE_CROSS_ORIGIN_OPENER_POLICY", default="same-origin")
SECURE_REFERRER_POLICY = env("SECURE_REFERRER_POLICY", default="strict-origin-when-cross-origin")
SECURE_PERMISSIONS_POLICY = env(
"SECURE_PERMISSIONS_POLICY",
default="geolocation=(), camera=(), microphone=(), payment=()"
)
# X-Frame-Options alternative - more flexible
X_FRAME_OPTIONS = env("X_FRAME_OPTIONS", default="DENY")
Reference in New Issue View Git Blame Copy Permalink