python-3.x - 如何摆脱终端中的Django安全漏洞警告标志
问题描述
我有一个带有 PostgreSQL 后端的简单 Django 项目,我似乎无法摆脱终端上的 Django 安全漏洞警告标志。
设置.py:
import os
...
ENVIRONMENT = os.environ.get('ENVIRONMENT', default = 'development')
...
SECRET_KEY = os.environ.get('SECRET_KEY')
DEBUG = int(os.environ.get('DEBUG', default=0))
ALLOWED_HOSTS = ['localhost', '127.0.0.1']
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
...
'HOST': 'db',
'PORT': 5432
}
}
if ENVIRONMENT == 'production':
SECURE_BROWSER_XSS_FILTER = True
X_FRAME_OPTIONS = 'DENY'
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 3600
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_REFERRER_POLICY = 'same-origin'
码头工人-compose.yml:
version: '3.8'
services:
web:
build: .
command: python /code/manage.py runserver 0.0.0.0:8000
environment:
- SECRET_KEY="SECRET_KEY"
- DEBUG=1
- ENVIRONMENT=development
volumes:
- .:/code
ports:
- 8000:8000
depends_on:
- db
db:
image: postgres:12.3
volumes:
- postgres_data:/var/lib/postgresql/data/
volumes:
postgres_data:
docker-compose-prod.yml:
version: '3.8'
services:
web:
build: .
command: python /code/manage.py runserver 0.0.0.0:8000
environment:
- SECRET_KEY="SECRET_KEY"
- DEBUG=0
- ENVIRONMENT=production
ports:
- 8000:8000
depends_on:
- db
db:
image: postgres:12.3
我在终端上运行的内容:
sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml -f docker-compose.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy
运行它“sudo docker-compose exec web python manage.py check --deploy”后,我收到以下警告:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W022) You have not set the SECURE_REFERRER_POLICY setting. Without this, your site will not send a Referrer-Policy header. You should consider enabling this header to protect user privacy.
我认为由于 settings.py 中的 if 语句,警告会消失。
我也尝试在终端上运行它:
sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy
但是,我最终得到了一个不同的错误:
django.db.utils.OperationalError: could not translate host name "db" to address: Name or service not known
我不确定我哪里出错了。关于如何使它工作有什么想法吗?任何输入都非常感谢。
编辑:我使用 Firefox 作为我的网络浏览器。
解决方案
首先粘贴此代码settings.py
并保存
# security.W018
DEBUG = False
# security.W016
CSRF_COOKIE_SECURE = True
# security.W012
SESSION_COOKIE_SECURE = True
# security.W008
SECURE_SSL_REDIRECT = True
# security.W004
SECURE_HSTS_SECONDS = 31536000 # One year in seconds
# Another security settings
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True
# security.W022
# I think it won't be needed. Because there are many ways.
参考:Django 检查部署警告 - Knowivate Developers
Django 文档:https ://docs.djangoproject.com/en/3.2/ref/checks/#security
如果在此之后还有任何错误,请告诉我。我也会尝试解决这个问题。
如果有任何错误,请告诉我,以便我更正。
推荐阅读
- excel - Excel vba 替代“查找”以减少运行时间
- python - Pandas groupby 将复杂应用到不同的列
- confluence - 如何在 Confluence 中编写文件夹树?
- json - 挣扎于简单的 API 调用和打印 JSON 数据
- pandas - 旧代码不适用于新的大型 csv 文件
- css - 强制 Google Web 字体使用“ct”连字
- python - 如果用户是群组成员,如何显示所有群组内容
- python - 昨天之后使用读取不和谐消息历史记录的正确方法是什么?
- java - 在 Eclipse 中使用上传函数到 AWS Lambda 创建 JAR 失败
- mysql - 带内连接 3 表的多值选择