Implement CSP via Django 6.0

2026-02-03 17:40:39 +01:00 · 2026-01-15 10:36:07 +01:00
parent 265aed56fe
commit 650a93676e
3 changed files with 31 additions and 8 deletions
--- a/ram/ram/init.py
+++ b/ram/ram/init.py
@@ -1,4 +1,13 @@
 from django import VERSION as DJANGO_VERSION
 from django.utils.termcolors import colorize
 from ram.utils import git_suffix
 if DJANGO_VERSION < (6, 0):
    exit(
        colorize(
            "ERROR: This project requires Django 6.0 or higher.", fg="red"
        )
    )
 __version__ = "0.19.10"
 __version__ += git_suffix(__file__)
--- a/ram/ram/settings.py
+++ b/ram/ram/settings.py
@@ -3,6 +3,7 @@ Django settings for ram project.
 """
 from pathlib import Path
 from django.utils.csp import CSP
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -12,9 +13,7 @@ STORAGE_DIR = BASE_DIR / "storage"
 # See https://docs.djangoproject.com/en/4.0/howto/deployment/checklist/
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = (
+SECRET_KEY = "django-ram-insecure-Chang3m3-1n-Pr0duct10n!"
    "django-ram-insecure-Chang3m3-1n-Pr0duct10n!"
 )
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
@@ -48,6 +47,7 @@ MIDDLEWARE = [
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.middleware.csp.ContentSecurityPolicyMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
@@ -109,11 +109,25 @@ DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 MEDIA_URL = "media/"
 MEDIA_ROOT = STORAGE_DIR / "media"
-# cookies hardening
+# Enforce a CSP policy:
-SESSION_COOKIE_NAME = '__Secure-sessionid'
+CDN_WHITELIST_CSP = ["https://cdn.jsdelivr.net/"]
 SECURE_CSP = {
    "default-src": [CSP.SELF] + CDN_WHITELIST_CSP,
    "img-src": ["data:", "*"],
    "script-src": [
        CSP.SELF,
        CSP.UNSAFE_INLINE,
        "https://www.googletagmanager.com/",
    ]
    + CDN_WHITELIST_CSP,
    "style-src": [CSP.SELF, CSP.UNSAFE_INLINE] + CDN_WHITELIST_CSP,
 }
 # Cookies hardening
 SESSION_COOKIE_NAME = "__Secure-sessionid"
 SESSION_COOKIE_SECURE = True
 SESSION_COOKIE_HTTPONLY = True
-CSRF_COOKIE_NAME = '__Secure-csrftoken'
+CSRF_COOKIE_NAME = "__Secure-csrftoken"
 CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_HTTPONLY = True
@@ -169,7 +183,7 @@ MANUFACTURER_TYPES = [
    ("model", "Model"),
    ("real", "Real"),
    ("accessory", "Accessory"),
-    ("other", "Other")
+    ("other", "Other"),
 ]
 ROLLING_STOCK_TYPES = [
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
 pytz
 pillow
 markdown
-Django
+Django>=6.0
 djangorestframework
 django-solo
 django-countries