python-3.x - 如何摆脱终端中的Django安全漏洞警告标志

问题描述

我有一个带有 PostgreSQL 后端的简单 Django 项目，我似乎无法摆脱终端上的 Django 安全漏洞警告标志。

设置.py：

import os
...
ENVIRONMENT = os.environ.get('ENVIRONMENT', default = 'development')
...
SECRET_KEY = os.environ.get('SECRET_KEY')
DEBUG = int(os.environ.get('DEBUG', default=0))
ALLOWED_HOSTS = ['localhost', '127.0.0.1']
DATABASES = {
'default': {
    'ENGINE': 'django.db.backends.postgresql',
    ...
    'HOST': 'db',
    'PORT': 5432
    }
}
if ENVIRONMENT == 'production':
   SECURE_BROWSER_XSS_FILTER = True
   X_FRAME_OPTIONS = 'DENY'
   SECURE_SSL_REDIRECT = True
   SECURE_HSTS_SECONDS = 3600
   SECURE_HSTS_INCLUDE_SUBDOMAINS = True
   SECURE_HSTS_PRELOAD = True
   SECURE_CONTENT_TYPE_NOSNIFF = True
   SESSION_COOKIE_SECURE = True 
   CSRF_COOKIE_SECURE = True 
   SECURE_REFERRER_POLICY = 'same-origin'

码头工人-compose.yml：

version: '3.8'

services:
  web:
    build: .
    command: python /code/manage.py runserver 0.0.0.0:8000
    environment:
      - SECRET_KEY="SECRET_KEY"
      - DEBUG=1
      - ENVIRONMENT=development
    volumes:
      - .:/code
    ports:
      - 8000:8000
    depends_on:
      - db
  db:
    image: postgres:12.3
    volumes:
      - postgres_data:/var/lib/postgresql/data/

volumes:
  postgres_data:

docker-compose-prod.yml：

version: '3.8'

services:
  web:
    build: .
    command: python /code/manage.py runserver 0.0.0.0:8000
    environment:
      - SECRET_KEY="SECRET_KEY"
      - DEBUG=0
      - ENVIRONMENT=production
    ports:
      - 8000:8000
    depends_on:
      - db
  db:
    image: postgres:12.3

我在终端上运行的内容：

sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml -f docker-compose.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy

运行它“sudo docker-compose exec web python manage.py check --deploy”后，我收到以下警告：

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
  ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
  ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
  ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
  ?: (security.W018) You should not have DEBUG set to True in deployment.
  ?: (security.W022) You have not set the SECURE_REFERRER_POLICY setting. Without this, your site will not send a Referrer-Policy header. You should consider enabling this header to protect user privacy.

我认为由于 settings.py 中的 if 语句，警告会消失。

我也尝试在终端上运行它：

sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy

但是，我最终得到了一个不同的错误：

django.db.utils.OperationalError: could not translate host name "db" to address: Name or service not known

我不确定我哪里出错了。关于如何使它工作有什么想法吗？任何输入都非常感谢。

编辑：我使用 Firefox 作为我的网络浏览器。

标签： python-3.xdjangopostgresqldockersecurity