Skip to content

Commit

Permalink
Create new config section for web security settings
Browse files Browse the repository at this point in the history
  • Loading branch information
hmpf committed Feb 28, 2024
1 parent 2f19a39 commit e768d73
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 0 deletions.
15 changes: 15 additions & 0 deletions python/nav/django/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
from nav.db import get_connection_parameters
import nav.buildconf
from nav.jwtconf import JWTConf
from nav.web.security import WebSecurityConfigParser

ALLOWED_HOSTS = ['*']

Expand Down Expand Up @@ -252,6 +253,20 @@
'nav.web.info.searchproviders.UnrecognizedNeighborSearchProvider',
]

# Web security options supported by Django
# * https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
# * https://docs.djangoproject.com/en/3.2/topics/http/sessions/
# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/
# Example conf:
# [security]
# ssl = on

SECURE_BROWSER_XSS_FILTER = True # Does no harm

_websecurity_config = WebSecurityConfigParser()
_tls_enabled = bool(_websecurity_config.getboolean('security', 'tls'))
SESSION_COOKIE_SECURE = _tls_enabled

# Hack for hackers to use features like debug_toolbar etc.
# https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
if _config_dir:
Expand Down
3 changes: 3 additions & 0 deletions python/nav/etc/webfront/webfront.conf
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,6 @@ enabled = no
# Some remote user systems need to be visited *after* NAV has logged the user
# out. The default/unset value is "/"
#post-logout-redirect-url=/magic/logout?nexthop=/

[security]
# tls = off
11 changes: 11 additions & 0 deletions python/nav/web/security.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
from pathlib import Path

from nav.config import NAVConfigParser


class WebSecurityConfigParser(NAVConfigParser):
DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')]
DEFAULT_CONFIG = u"""
[security]
tls=off
"""

0 comments on commit e768d73

Please sign in to comment.