Reputation: 498
Why am I getting these Django security warnings, but not other developers on the team
I am currently getting the following Django security warnings when running makemigrations:
System check identified some issues:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.(security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.
followed by a set of other warnings. I plan on addressing these warnings, but I don't understand why everyone else on my team does not get these warnings. I am using a Python virtualenv. Does anyone have any ideas why I am the only one getting these warnings?
I've also verified I don't get these warnings using another computer, it is only my development machine.
Upvotes: 2
Views: 7870
Answers (3)
Reputation: 11531
It's probably the version of Django you're using. Version 1.8 and later use HSTS.
Upvotes: 2
Reputation: 1660
Seems like django version upgraded but not your middlewares. Make sure securitymiddleware is between them.
More info https://docs.djangoproject.com/en/3.2/topics/http/middleware/
Upvotes: 0
Reputation: 2965
The first warning is about the HSTS header which prevents browsers from accessing the data in HTTP. It is typically set to 1 year i.e 31536000 seconds. But under testing conditions you might prefer using a lower value like 60 sec or 3600 sec.
SECURE_HSTS_SECONDS = 31536000
The second warning is to prevent sniffing attacks. This can be prevented by adding the following line in your settings.py
SECURE_CONTENT_TYPE_NOSNIFF = True
Documentations :
- On HSTS Settings (here)
- On NOSNIFF
- Other Security Middlewares
Upvotes: 5
Related Questions
- How do I get the object if it exists, or None if it does not exist in Django?
- HSTS headers for Django + Nginx projects - should the headers be set by Django SecurityMiddleware or Nginx?
- Why can a function modify some arguments as perceived by the caller, but not others?
- Why do python lists have pop() but not push()
- Getting the SQL from a Django QuerySet
- Django: Why do some model fields clash with each other?
- HTTPS and HSTS on Apache/mod_wsgi and Django
- django setting variable SECURE_PROXY_SSL_HEADER with heroku