Skip to content

security: harden production settings for GraphQL, HSTS, and HTTP headers (fixes #3783) #3799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arkid15r merged 18 commits into from
Feb 12, 2026
Merged

security: harden production settings for GraphQL, HSTS, and HTTP headers (fixes #3783) #3799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
fb4083b
Refactor Dockerfile to improve caching and security
ScienHAC Feb 5, 2026
d8d8c2f
Merge branch 'OWASP:main' into main
ScienHAC Feb 5, 2026
c19fb64
Update base.py
ScienHAC Feb 5, 2026
71894b0
Update graphql.py
ScienHAC Feb 5, 2026
21684b9
Update production.py
ScienHAC Feb 5, 2026
1b204b7
Merge branch 'OWASP:main' into main
ScienHAC Feb 6, 2026
62f6d92
Merge branch 'OWASP:main' into main
ScienHAC Feb 8, 2026
894cbf6
Apply suggestion from @cubic-dev-ai[bot]
ScienHAC Feb 8, 2026
502c36f
Update Dockerfile
ScienHAC Feb 8, 2026
9c61fc0
Update Dockerfile
ScienHAC Feb 8, 2026
d817ed8
Add security settings for HSTS and SSL
ScienHAC Feb 8, 2026
5c4d4b8
Simplify GraphQL schema extensions setup
ScienHAC Feb 8, 2026
439d41f
Update staging.py
ScienHAC Feb 8, 2026
ea4e219
Update staging.py
ScienHAC Feb 8, 2026
9aa535a
Merge branch 'main' into pr/ScienHAC/3799
arkid15r Feb 12, 2026
de32260
Update code
arkid15r Feb 12, 2026
c7fa9aa
Merge branch 'main' into main
arkid15r Feb 12, 2026
d28bf41
Update code
arkid15r Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions backend/settings/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ class Base(Configuration):

RELEASE_VERSION = values.Value(environ_name="RELEASE_VERSION")

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_NAME = "nest.session-id"
SESSION_COOKIE_SAMESITE = "Lax"
Expand Down Expand Up @@ -229,3 +230,10 @@ class Base(Configuration):
SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True
SLACK_SIGNING_SECRET = values.SecretValue()

SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_SECONDS = 31536000
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_SSL_REDIRECT = True
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: SECURE_SSL_REDIRECT = True in the Base configuration is not overridden in test.py. The local, e2e, and fuzz configurations all correctly override this to False, but the test configuration does not. This will cause Django's SecurityMiddleware to 301-redirect all HTTP requests to HTTPS during tests, which can break test assertions expecting direct responses.

Either add SECURE_SSL_REDIRECT = False to backend/settings/test.py, or move SECURE_SSL_REDIRECT = True out of base.py and into only the configurations that need it (production, staging).

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At backend/settings/base.py, line 239:

<comment>`SECURE_SSL_REDIRECT = True` in the Base configuration is not overridden in `test.py`. The local, e2e, and fuzz configurations all correctly override this to `False`, but the test configuration does not. This will cause Django's `SecurityMiddleware` to 301-redirect all HTTP requests to HTTPS during tests, which can break test assertions expecting direct responses.

Either add `SECURE_SSL_REDIRECT = False` to `backend/settings/test.py`, or move `SECURE_SSL_REDIRECT = True` out of `base.py` and into only the configurations that need it (production, staging).</comment>

<file context>
@@ -231,3 +232,8 @@ class Base(Configuration):
+    SECURE_HSTS_PRELOAD = True
+    SECURE_HSTS_SECONDS = 31536000
+    SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+    SECURE_SSL_REDIRECT = True
</file context>

6 changes: 6 additions & 0 deletions backend/settings/e2e.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,9 @@ class E2E(Base):
IS_E2E_ENVIRONMENT = True
LOGGING = {}
PUBLIC_IP_ADDRESS = values.Value()

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False
7 changes: 7 additions & 0 deletions backend/settings/fuzz.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,12 @@ class Fuzz(Base):
SITE_URL = "http://localhost:9500"

IS_FUZZ_ENVIRONMENT = True

LOGGING = {}
PUBLIC_IP_ADDRESS = values.Value()

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False
17 changes: 11 additions & 6 deletions backend/settings/graphql.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
"""GraphQL schema."""

import strawberry
from strawberry.extensions import QueryDepthLimiter
from django.conf import settings
from strawberry.extensions import DisableIntrospection, QueryDepthLimiter
from strawberry_django.optimizer import DjangoOptimizerExtension

from apps.api.internal.mutations import ApiMutations
Expand Down Expand Up @@ -42,8 +43,12 @@ class Query(
"""Schema queries."""


schema = strawberry.Schema(
mutation=Mutation,
query=Query,
extensions=[QueryDepthLimiter(max_depth=5), DjangoOptimizerExtension()],
)
extensions = [
QueryDepthLimiter(max_depth=5),
DjangoOptimizerExtension(),
]

if not settings.DEBUG and not settings.IS_FUZZ_ENVIRONMENT:
extensions.append(DisableIntrospection())

schema = strawberry.Schema(extensions=extensions, mutation=Mutation, query=Query)
7 changes: 7 additions & 0 deletions backend/settings/local.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,12 @@ class Local(Base):
IS_LOCAL_ENVIRONMENT = True
LOGGING = {}
PUBLIC_IP_ADDRESS = values.Value()

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False

SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True
4 changes: 0 additions & 4 deletions backend/settings/staging.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,10 @@ class Staging(Base):
AWS_S3_OBJECT_PARAMETERS = {
"CacheControl": "max-age=86400",
}

AWS_LOCATION = "static"

# Static files (CSS, JavaScript, Images)
STATIC_URL = f"https://{AWS_S3_CUSTOM_DOMAIN}/{AWS_LOCATION}/"

STORAGES = {
"default": {
"BACKEND": "storages.backends.s3.S3Storage",
Expand All @@ -42,12 +40,10 @@ class Staging(Base):
APP_NAME = "OWASP Nest Staging"
SITE_NAME = "nest.owasp.dev"
SITE_URL = f"https://{SITE_NAME}"

ALLOWED_ORIGINS = (SITE_URL,)
CORS_ALLOWED_ORIGINS = ALLOWED_ORIGINS
CSRF_TRUSTED_ORIGINS = ALLOWED_ORIGINS

IS_STAGING_ENVIRONMENT = True

SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True
6 changes: 6 additions & 0 deletions backend/settings/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,9 @@ class Test(Base):
}

IS_TEST_ENVIRONMENT = True

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False