Skip to content

security: harden production settings for GraphQL, HSTS, and HTTP headers (fixes #3783) #3799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arkid15r merged 18 commits into from
Feb 12, 2026
Merged

security: harden production settings for GraphQL, HSTS, and HTTP headers (fixes #3783) #3799

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
fb4083b
Refactor Dockerfile to improve caching and security
ScienHAC Feb 5, 2026
d8d8c2f
Merge branch 'OWASP:main' into main
ScienHAC Feb 5, 2026
c19fb64
Update base.py
ScienHAC Feb 5, 2026
71894b0
Update graphql.py
ScienHAC Feb 5, 2026
21684b9
Update production.py
ScienHAC Feb 5, 2026
1b204b7
Merge branch 'OWASP:main' into main
ScienHAC Feb 6, 2026
62f6d92
Merge branch 'OWASP:main' into main
ScienHAC Feb 8, 2026
894cbf6
Apply suggestion from @cubic-dev-ai[bot]
ScienHAC Feb 8, 2026
502c36f
Update Dockerfile
ScienHAC Feb 8, 2026
9c61fc0
Update Dockerfile
ScienHAC Feb 8, 2026
d817ed8
Add security settings for HSTS and SSL
ScienHAC Feb 8, 2026
5c4d4b8
Simplify GraphQL schema extensions setup
ScienHAC Feb 8, 2026
439d41f
Update staging.py
ScienHAC Feb 8, 2026
ea4e219
Update staging.py
ScienHAC Feb 8, 2026
9aa535a
Merge branch 'main' into pr/ScienHAC/3799
arkid15r Feb 12, 2026
de32260
Update code
arkid15r Feb 12, 2026
c7fa9aa
Merge branch 'main' into main
arkid15r Feb 12, 2026
d28bf41
Update code
arkid15r Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions backend/settings/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,3 +229,5 @@ class Base(Configuration):
SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True
SLACK_SIGNING_SECRET = values.SecretValue()

SECURE_CONTENT_TYPE_NOSNIFF = True
13 changes: 11 additions & 2 deletions backend/settings/graphql.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
"""GraphQL schema."""

import strawberry
from strawberry.extensions import QueryDepthLimiter
from django.conf import settings
from strawberry.extensions import DisableIntrospection, QueryDepthLimiter
from strawberry_django.optimizer import DjangoOptimizerExtension

from apps.api.internal.mutations import ApiMutations
Expand Down Expand Up @@ -42,8 +43,16 @@ class Query(
"""Schema queries."""


extensions = [
QueryDepthLimiter(max_depth=5),
DjangoOptimizerExtension(),
]

if not settings.DEBUG and not getattr(settings, "IS_FUZZ_ENVIRONMENT", False):

@arkid15r arkid15r Feb 9, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make settings.IS_FUZZ_ENVIRONMENT work.

extensions.append(DisableIntrospection())

schema = strawberry.Schema(
mutation=Mutation,
query=Query,
extensions=[QueryDepthLimiter(max_depth=5), DjangoOptimizerExtension()],
extensions=extensions,
)
7 changes: 7 additions & 0 deletions backend/settings/production.py
View file
Open in desktop
Comment thread
ScienHAC marked this conversation as resolved.
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,10 @@ class Production(Base):

SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True

# Security

@arkid15r arkid15r Feb 9, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A believe a more reasonable default would be to have security settings shared by staging/production via base.py and have them overridden in local as needed.

SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_SSL_REDIRECT = True
Comment thread
ScienHAC marked this conversation as resolved.
Outdated

Copilot AI Feb 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The staging environment (backend/settings/staging.py) should also include the same HSTS and SSL security settings as production. Staging environments typically serve over HTTPS with valid certificates and should mirror production security configurations to catch issues before they reach production. Consider adding the same SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, SECURE_HSTS_PRELOAD, and SECURE_SSL_REDIRECT settings to staging.py.

Copilot uses AI. Check for mistakes.
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
13 changes: 7 additions & 6 deletions backend/settings/staging.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
"""OWASP Nest staging configuration."""

import sentry_sdk
from configurations import values

from settings.base import Base


Expand All @@ -24,12 +22,10 @@ class Staging(Base):
AWS_S3_OBJECT_PARAMETERS = {
"CacheControl": "max-age=86400",
}

AWS_LOCATION = "static"

# Static files (CSS, JavaScript, Images)
STATIC_URL = f"https://{AWS_S3_CUSTOM_DOMAIN}/{AWS_LOCATION}/"

STORAGES = {
"default": {
"BACKEND": "storages.backends.s3.S3Storage",
Expand All @@ -42,12 +38,17 @@ class Staging(Base):
APP_NAME = "OWASP Nest Staging"
SITE_NAME = "nest.owasp.dev"
SITE_URL = f"https://{SITE_NAME}"

ALLOWED_ORIGINS = (SITE_URL,)
CORS_ALLOWED_ORIGINS = ALLOWED_ORIGINS
CSRF_TRUSTED_ORIGINS = ALLOWED_ORIGINS

IS_STAGING_ENVIRONMENT = True

SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True

# Security
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_SSL_REDIRECT = True