'How to get rid of Django security vulnerabilities warning signs in terminal

I have a simple Django project with a PostgreSQL backend and I can't seem to get rid of the Django security vulnerabilities warning signs on my terminal.

Settings.py:

import os
...
ENVIRONMENT = os.environ.get('ENVIRONMENT', default = 'development')
...
SECRET_KEY = os.environ.get('SECRET_KEY')
DEBUG = int(os.environ.get('DEBUG', default=0))
ALLOWED_HOSTS = ['localhost', '127.0.0.1']
DATABASES = {
'default': {
    'ENGINE': 'django.db.backends.postgresql',
    ...
    'HOST': 'db',
    'PORT': 5432
    }
}
if ENVIRONMENT == 'production':
   SECURE_BROWSER_XSS_FILTER = True
   X_FRAME_OPTIONS = 'DENY'
   SECURE_SSL_REDIRECT = True
   SECURE_HSTS_SECONDS = 3600
   SECURE_HSTS_INCLUDE_SUBDOMAINS = True
   SECURE_HSTS_PRELOAD = True
   SECURE_CONTENT_TYPE_NOSNIFF = True
   SESSION_COOKIE_SECURE = True 
   CSRF_COOKIE_SECURE = True 
   SECURE_REFERRER_POLICY = 'same-origin'

docker-compose.yml:

version: '3.8'

services:
  web:
    build: .
    command: python /code/manage.py runserver 0.0.0.0:8000
    environment:
      - SECRET_KEY="SECRET_KEY"
      - DEBUG=1
      - ENVIRONMENT=development
    volumes:
      - .:/code
    ports:
      - 8000:8000
    depends_on:
      - db
  db:
    image: postgres:12.3
    volumes:
      - postgres_data:/var/lib/postgresql/data/

volumes:
  postgres_data:

docker-compose-prod.yml:

version: '3.8'

services:
  web:
    build: .
    command: python /code/manage.py runserver 0.0.0.0:8000
    environment:
      - SECRET_KEY="SECRET_KEY"
      - DEBUG=0
      - ENVIRONMENT=production
    ports:
      - 8000:8000
    depends_on:
      - db
  db:
    image: postgres:12.3

What I am running on the terminal:

sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml -f docker-compose.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy

After running it "sudo docker-compose exec web python manage.py check --deploy", I get the following warnings:

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
  ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
  ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
  ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
  ?: (security.W018) You should not have DEBUG set to True in deployment.
  ?: (security.W022) You have not set the SECURE_REFERRER_POLICY setting. Without this, your site will not send a Referrer-Policy header. You should consider enabling this header to protect user privacy.

I thought the warnings would go away because of the if statement in the settings.py.

I also tried running this on the terminal:

sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy

However, I ended up getting a different error:

django.db.utils.OperationalError: could not translate host name "db" to address: Name or service not known

I am not sure where I went wrong. Is there any ideas on how I can make it work? Any input is truly appreciated.

Edited: I am using Firefox as my web browser.

python-3.xdjangopostgresqldockersecurity


Solution 1:[1]

First paste this code in settings.py and save

# security.W018
DEBUG = False

# security.W016
CSRF_COOKIE_SECURE = True

# security.W012
SESSION_COOKIE_SECURE = True

# security.W008
SECURE_SSL_REDIRECT = True

# security.W004
SECURE_HSTS_SECONDS = 31536000 # One year in seconds

# Another security settings
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True

# security.W022
# I think it won't be needed. Because there are many ways.

Reference: Django check deploy warnings - Knowivate Developers

Django docs: https://docs.djangoproject.com/en/dev/ref/checks/#security

If there is any error even after this then tell me. I will try to fix that too.

If there is any mistake please let me know so that I can correct it.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Michal Šrůtek

Related Questions