From cec2ad48cc64c1e583b90b4e4ea9f251e673cfe9 Mon Sep 17 00:00:00 2001 From: Julio-Oliveira-Encora Date: Wed, 10 Apr 2024 10:39:40 -0300 Subject: [PATCH 1/3] Added SECURE_HSTS_SECONDSm SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD to settings.py --- netbox/netbox/settings.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index 94303225346..53b73365200 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -178,6 +178,9 @@ TIME_ZONE = getattr(configuration, 'TIME_ZONE', 'UTC') ENABLE_LOCALIZATION = getattr(configuration, 'ENABLE_LOCALIZATION', False) CHANGELOG_SKIP_EMPTY_CHANGES = getattr(configuration, 'CHANGELOG_SKIP_EMPTY_CHANGES', True) +SECURE_HSTS_SECONDS = getattr(configuration, 'SECURE_HSTS_SECONDS', 0) +SECURE_HSTS_INCLUDE_SUBDOMAINS = getattr(configuration, 'SECURE_HSTS_INCLUDE_SUBDOMAINS', False) +SECURE_HSTS_PRELOAD = getattr(configuration, 'SECURE_HSTS_PRELOAD', False) # Check for hard-coded dynamic config parameters for param in PARAMS: From ee1aa8108f69ceacee6254dcb81f82d772665cd2 Mon Sep 17 00:00:00 2001 From: Julio-Oliveira-Encora Date: Thu, 11 Apr 2024 11:02:58 -0300 Subject: [PATCH 2/3] Addressed some PR comments. --- docs/configuration/security.md | 25 +++++++++++++++++++++++++ netbox/netbox/settings.py | 7 ++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/docs/configuration/security.md b/docs/configuration/security.md index 2ae92285f1d..3b8120f5baf 100644 --- a/docs/configuration/security.md +++ b/docs/configuration/security.md @@ -183,6 +183,31 @@ The view name or URL to which a user is redirected after logging out. --- +## SECURE_HSTS_INCLUDE_SUBDOMAINS + +Default: False + +If true, the `includeSubDomains` directive will be included in the HTTP Strict Transport Security (HSTS) header. This directive instructs the browser to apply the HSTS policy to all subdomains of the current domain. + +--- + +## SECURE_HSTS_PRELOAD + +Default: False + +If true, the `preload` directive will be included in the HTTP Strict Transport Security (HSTS) header. This directive instructs the browser to preload the site in HTTPS. Browsers that use the HSTS preload list will force the site to be accessed via HTTPS even if the user types HTTP in the address bar. + +--- + +## SECURE_HSTS_SECONDS + +Default: 0 + +If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security header on all responses that do not already have it. +If the website must be accessed via HTTPS, it is recommended to set SECURE_HSTS_SECONDS. It will make the browser remember that the website must be accessed via HTTPS, blocking any HTTP request. + +--- + ## SECURE_SSL_REDIRECT Default: False diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index 53b73365200..ec698a8c019 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -160,6 +160,9 @@ RQ_RETRY_MAX = getattr(configuration, 'RQ_RETRY_MAX', 0) SCRIPTS_ROOT = getattr(configuration, 'SCRIPTS_ROOT', os.path.join(BASE_DIR, 'scripts')).rstrip('/') SEARCH_BACKEND = getattr(configuration, 'SEARCH_BACKEND', 'netbox.search.backends.CachedValueSearchBackend') +SECURE_HSTS_INCLUDE_SUBDOMAINS = getattr(configuration, 'SECURE_HSTS_INCLUDE_SUBDOMAINS', False) +SECURE_HSTS_PRELOAD = getattr(configuration, 'SECURE_HSTS_PRELOAD', False) +SECURE_HSTS_SECONDS = getattr(configuration, 'SECURE_HSTS_SECONDS', 0) SECURE_SSL_REDIRECT = getattr(configuration, 'SECURE_SSL_REDIRECT', False) SENTRY_DSN = getattr(configuration, 'SENTRY_DSN', None) SENTRY_ENABLED = getattr(configuration, 'SENTRY_ENABLED', False) @@ -178,9 +181,7 @@ TIME_ZONE = getattr(configuration, 'TIME_ZONE', 'UTC') ENABLE_LOCALIZATION = getattr(configuration, 'ENABLE_LOCALIZATION', False) CHANGELOG_SKIP_EMPTY_CHANGES = getattr(configuration, 'CHANGELOG_SKIP_EMPTY_CHANGES', True) -SECURE_HSTS_SECONDS = getattr(configuration, 'SECURE_HSTS_SECONDS', 0) -SECURE_HSTS_INCLUDE_SUBDOMAINS = getattr(configuration, 'SECURE_HSTS_INCLUDE_SUBDOMAINS', False) -SECURE_HSTS_PRELOAD = getattr(configuration, 'SECURE_HSTS_PRELOAD', False) + # Check for hard-coded dynamic config parameters for param in PARAMS: From 5b863d4593ff80a60e678ff5793d359359b86091 Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Mon, 15 Apr 2024 10:17:44 -0400 Subject: [PATCH 3/3] Apply suggestions from code review --- docs/configuration/security.md | 3 +-- netbox/netbox/settings.py | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/configuration/security.md b/docs/configuration/security.md index 3b8120f5baf..9de09cedad0 100644 --- a/docs/configuration/security.md +++ b/docs/configuration/security.md @@ -203,8 +203,7 @@ If true, the `preload` directive will be included in the HTTP Strict Transport S Default: 0 -If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security header on all responses that do not already have it. -If the website must be accessed via HTTPS, it is recommended to set SECURE_HSTS_SECONDS. It will make the browser remember that the website must be accessed via HTTPS, blocking any HTTP request. +If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security (HSTS) header on all responses that do not already have it. This will instruct the browser that the website must be accessed via HTTPS, blocking any HTTP request. --- diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index ec698a8c019..55002aa87f2 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -182,7 +182,6 @@ ENABLE_LOCALIZATION = getattr(configuration, 'ENABLE_LOCALIZATION', False) CHANGELOG_SKIP_EMPTY_CHANGES = getattr(configuration, 'CHANGELOG_SKIP_EMPTY_CHANGES', True) - # Check for hard-coded dynamic config parameters for param in PARAMS: if hasattr(configuration, param.name):