1. 21 Feb, 2016 3 commits
  2. 18 Feb, 2016 6 commits
    • Zenon Mousmoulas's avatar
      Update credits · 66639157
      Zenon Mousmoulas authored
      66639157
    • Zenon Mousmoulas's avatar
      Merge pull request #8 from REANNZ/fix-secure · cf60b177
      Zenon Mousmoulas authored
      Two minor security fixes: construct secure URLs (for uwsgi, with examples) and
      mark cookies as secure
      cf60b177
    • Vladimir Mencl's avatar
      Revise secure URL settings (cont.) · 6d829672
      Vladimir Mencl authored
      Actually remove the X-Forwarded-SSL header from the Apache mod_wsgi snippet.
      6d829672
    • Vladimir Mencl's avatar
      Revise secure URL settings · 262e5434
      Vladimir Mencl authored
      As per discussion in in #8 (primary mode of deployment is with mod_wsgi):
      
      * Comment out the header setting at Django side and also move it from
        settings.py to local_settings.py (because it's now a customizable item).
      * Change the header name to ````X-Forwarded-Protocol: https````
      * Change the Apache recommendation to use the header name and take it out of
        the mod_uwsgi snippet - and instead add a new section describing
        mod_proxy_http as an option.
      262e5434
    • Vladimir Mencl's avatar
      Use secure session cookies · e4868581
      Vladimir Mencl authored
      Django would be default use insecure cookies - that would be sent by the
      browser also over plain http.  And administrative work requiring authenticated
      sessions should be done over https - and therefore, the cookie should be marked
      as secure.
      
      This can be achived by setting:
      
          settings.SESSION_COOKIE_SECURE = True
      
      As this is an essential security setting that shouldn't need additional tweaks,
      adding the setting to settings.py (and not local_settings.py).
      e4868581
    • Vladimir Mencl's avatar
      Use secure URLs when already using SSL · 2c10a316
      Vladimir Mencl authored
      Django constructs redirect URLs as https only if request.is_secure() is true.
      
      And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or
      if the request header contains a key + value configured as a tuple in
      settings.SECURE_PROXY_SSL_HEADER
      
      As some parts might be accessed over plain http and some over https (if Apache
      exposes both ports), the easiest is to:
      
      * Use the conventional header:
      
              X-Forwarded-SSL: on
      
      * Set this header from Apache SSL VirtualHost
      
      * Configure Django to check for this header with:
      
              SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')
      
      As this is an essential security setting that shouldn't need additional tweaks,
      adding the setting to settings.py (and not local_settings.py).
      
      Without this fix, the login form at /admin/ would upon successful login
      redirect to plain http, even when accessed over https.
      2c10a316
  3. 17 Feb, 2016 5 commits
  4. 14 Feb, 2016 1 commit
  5. 02 Dec, 2015 2 commits
  6. 23 Nov, 2015 4 commits
  7. 21 Nov, 2015 4 commits
  8. 20 Nov, 2015 4 commits
  9. 19 Nov, 2015 2 commits
  10. 18 Nov, 2015 6 commits
  11. 10 Nov, 2015 3 commits