🔧[#42] add HSTS & CSP settings

open_api_framework/conf/base.py

@@ -203,6 +203,7 @@
     # External applications.
     "axes",
     "django_filters",
+    "csp",
     "corsheaders",
     "vng_api_common",
     "notifications_api_common",
@@ -241,6 +242,7 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "axes.middleware.AxesMiddleware",
+    "csp.contrib.rate_limiting.RateLimitedCSPMiddleware",
 ]
 
 ROOT_URLCONF = f"{PROJECT_DIRNAME}.urls"
@@ -559,6 +561,9 @@
     ),
 )
 
+if IS_HTTPS:
+    SECURE_HSTS_SECONDS = 31536000
+
 X_FRAME_OPTIONS = "DENY"
 
 #
@@ -932,3 +937,61 @@ def init_sentry(before_send: Callable | None = None):
     default=7,
     help_text="The amount of time after which request logs should be deleted from the database",
 )  # number of days
+
+
+#
+# Django CSP settings
+#
+# explanation of directives: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# and how to specify them: https://django-csp.readthedocs.io/en/latest/configuration.html
+#
+# NOTE: make sure values are a tuple or list, and to quote special values like 'self'
+
+# ideally we'd use BASE_URI but it'd have to be lazy or cause issues
+CSP_DEFAULT_SRC = [
+    "'self'",
+] + config("CSP_EXTRA_DEFAULT_SRC", default=[], split=True)
+
+CSP_REPORT_PERCENTAGE = config("CSP_REPORT_PERCENTAGE", 1.0)  # float between 0 and 1
+
+CSP_FORM_ACTION = (
+    config(
+        "CSP_FORM_ACTION",
+        default=["\"'self'\""]
+        + config("CSP_EXTRA_FORM_ACTION", default=[], split=True),
+        split=True,
+    )
+    + CORS_ALLOWED_ORIGINS
+)
+
+CSP_IMG_SRC = CSP_DEFAULT_SRC + config("CSP_EXTRA_IMG_SRC", default=[], split=True)
+
+# affects <object> and <embed> tags, block everything by default but allow deploy-time
+# overrides.
+CSP_OBJECT_SRC = config("CSP_OBJECT_SRC", default=["\"'none'\""], split=True)
+
+# we must include this explicitly, otherwise the style-src only includes the nonce because
+# of CSP_INCLUDE_NONCE_IN
+CSP_STYLE_SRC = CSP_DEFAULT_SRC
+CSP_SCRIPT_SRC = CSP_DEFAULT_SRC
+
+# firefox does not get the nonce from default-src, see
+# https://stackoverflow.com/a/63376012
+CSP_INCLUDE_NONCE_IN = ["style-src", "script-src"]
+
+# directives that don't fallback to default-src
+CSP_BASE_URI = ["'self'"]
+
+# Frame directives do not fall back to default-src
+CSP_FRAME_ANCESTORS = ["'none'"]  # equivalent to X-Frame-Options: deny
+CSP_FRAME_SRC = ["'self'"]
+# CSP_NAVIGATE_TO = ["'self'"]  # this will break all outgoing links etc  # too much & tricky, see note on MDN
+# CSP_SANDBOX # too much
+
+CSP_UPGRADE_INSECURE_REQUESTS = False  # TODO enable on production?
+
+CSP_EXCLUDE_URL_PREFIXES = (
+    # ReDoc/Swagger pull in external sources, so don't enforce CSP on API endpoints/documentation.
+    "/api/",
+    "/admin/",
+)

pyproject.toml

@@ -39,6 +39,7 @@ dependencies = [
     "djangorestframework-gis>=1.0",
     "django-filter>=24.2",
     "drf-spectacular>=0.27.2",
+    "django-csp>=3.8",
     "djangorestframework-inclusions>=1.2.0",
     "commonground-api-common>=1.12.1",
     "mozilla-django-oidc-db>=0.19.0",