Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions backend/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ class Base(Configuration):

RELEASE_VERSION = values.Value(environ_name="RELEASE_VERSION")

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_NAME = "nest.session-id"
SESSION_COOKIE_SAMESITE = "Lax"
Expand Down Expand Up @@ -229,3 +230,10 @@ class Base(Configuration):
SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True
SLACK_SIGNING_SECRET = values.SecretValue()

SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_SECONDS = 31536000
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_SSL_REDIRECT = True
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: SECURE_SSL_REDIRECT = True in the Base configuration is not overridden in test.py. The local, e2e, and fuzz configurations all correctly override this to False, but the test configuration does not. This will cause Django's SecurityMiddleware to 301-redirect all HTTP requests to HTTPS during tests, which can break test assertions expecting direct responses.

Either add SECURE_SSL_REDIRECT = False to backend/settings/test.py, or move SECURE_SSL_REDIRECT = True out of base.py and into only the configurations that need it (production, staging).

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At backend/settings/base.py, line 239:

<comment>`SECURE_SSL_REDIRECT = True` in the Base configuration is not overridden in `test.py`. The local, e2e, and fuzz configurations all correctly override this to `False`, but the test configuration does not. This will cause Django's `SecurityMiddleware` to 301-redirect all HTTP requests to HTTPS during tests, which can break test assertions expecting direct responses.

Either add `SECURE_SSL_REDIRECT = False` to `backend/settings/test.py`, or move `SECURE_SSL_REDIRECT = True` out of `base.py` and into only the configurations that need it (production, staging).</comment>

<file context>
@@ -231,3 +232,8 @@ class Base(Configuration):
+    SECURE_HSTS_PRELOAD = True
+    SECURE_HSTS_SECONDS = 31536000
+    SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+    SECURE_SSL_REDIRECT = True
</file context>

6 changes: 6 additions & 0 deletions backend/settings/e2e.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,9 @@ class E2E(Base):
IS_E2E_ENVIRONMENT = True
LOGGING = {}
PUBLIC_IP_ADDRESS = values.Value()

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False
7 changes: 7 additions & 0 deletions backend/settings/fuzz.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,12 @@ class Fuzz(Base):
SITE_URL = "http://localhost:9500"

IS_FUZZ_ENVIRONMENT = True

LOGGING = {}
PUBLIC_IP_ADDRESS = values.Value()

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False
17 changes: 11 additions & 6 deletions backend/settings/graphql.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
"""GraphQL schema."""

import strawberry
from strawberry.extensions import QueryDepthLimiter
from django.conf import settings
from strawberry.extensions import DisableIntrospection, QueryDepthLimiter
from strawberry_django.optimizer import DjangoOptimizerExtension

from apps.api.internal.mutations import ApiMutations
Expand Down Expand Up @@ -42,8 +43,12 @@ class Query(
"""Schema queries."""


schema = strawberry.Schema(
mutation=Mutation,
query=Query,
extensions=[QueryDepthLimiter(max_depth=5), DjangoOptimizerExtension()],
)
extensions = [
QueryDepthLimiter(max_depth=5),
DjangoOptimizerExtension(),
]

if not settings.DEBUG and not settings.IS_FUZZ_ENVIRONMENT:
extensions.append(DisableIntrospection())

schema = strawberry.Schema(extensions=extensions, mutation=Mutation, query=Query)
7 changes: 7 additions & 0 deletions backend/settings/local.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,12 @@ class Local(Base):
IS_LOCAL_ENVIRONMENT = True
LOGGING = {}
PUBLIC_IP_ADDRESS = values.Value()

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False

SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True
4 changes: 0 additions & 4 deletions backend/settings/staging.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,10 @@ class Staging(Base):
AWS_S3_OBJECT_PARAMETERS = {
"CacheControl": "max-age=86400",
}

AWS_LOCATION = "static"

# Static files (CSS, JavaScript, Images)
STATIC_URL = f"https://{AWS_S3_CUSTOM_DOMAIN}/{AWS_LOCATION}/"

STORAGES = {
"default": {
"BACKEND": "storages.backends.s3.S3Storage",
Expand All @@ -42,12 +40,10 @@ class Staging(Base):
APP_NAME = "OWASP Nest Staging"
SITE_NAME = "nest.owasp.dev"
SITE_URL = f"https://{SITE_NAME}"

ALLOWED_ORIGINS = (SITE_URL,)
CORS_ALLOWED_ORIGINS = ALLOWED_ORIGINS
CSRF_TRUSTED_ORIGINS = ALLOWED_ORIGINS

IS_STAGING_ENVIRONMENT = True

SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True
6 changes: 6 additions & 0 deletions backend/settings/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,9 @@ class Test(Base):
}

IS_TEST_ENVIRONMENT = True

CSRF_COOKIE_SECURE = False
SECURE_HSTS_SECONDS = 0
SECURE_PROXY_SSL_HEADER = None # type: ignore[assignment] # Django accepts None to disable.
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False