fix: Update HTTP headers and CSRF sessions usage

ocadotechnology · Jan 3, 2024 · facb212 · facb212
1 parent b41ec43
commit facb212
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 5 deletions.
diff --git a/deploy/middleware/security.py b/deploy/middleware/security.py
@@ -4,19 +4,19 @@
 class CustomSecurityMiddleware(SecurityMiddleware):
     """
     Extends Django's Security Middleware.
-    See https://docs.djangoproject.com/en/2.2/_modules/django/middleware/security/ for
-    the source code, as well as https://docs.djangoproject.com/en/2.2/ref/middleware/#module-django.middleware.security
+    See https://docs.djangoproject.com/en/3.2/_modules/django/middleware/security/ for
+    the source code, as well as https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
     for docs on security middleware.
     """
 
     def process_response(self, request, response):
         """
         Extends the original security middleware to ensure the X-XSS-Protection header
-        is set to 0.
+        is set to 1.
         """
         super().process_response(request, response)
 
         if self.xss_filter:
-            response["X-XSS-Protection"] = "0"
+            response["X-XSS-Protection"] = "1"
 
         return response
diff --git a/example_project/portal_test_settings.py b/example_project/portal_test_settings.py
@@ -185,6 +185,7 @@
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+CSRF_USE_SESSIONS = True
 RECAPTCHA_DOMAIN = "www.recaptcha.net"
 AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"]
 USE_TZ = True

diff --git a/example_project/settings.py b/example_project/settings.py
@@ -148,6 +148,7 @@
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+CSRF_USE_SESSIONS = True
 RECAPTCHA_DOMAIN = "www.recaptcha.net"
 AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"]
 USE_TZ = True

diff --git a/portal/tests/test_middleware.py b/portal/tests/test_middleware.py
@@ -118,7 +118,7 @@ def test_security_headers(self):
         assert response.headers["cache-control"] == "private"
         assert response.headers["x-content-type-options"] == "nosniff"
         assert response.headers["x-frame-options"] == "DENY"
-        assert response.headers["x-xss-protection"] == "0"
+        assert response.headers["x-xss-protection"] == "1"
 
 
 class TestSessionTimeoutMiddleware(TestCase):