changes from security audit 2024 November

Author: sniedzielski

openIMIS/openIMIS/settings.py

@@ -224,6 +224,7 @@ def SITE_URL():
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "core.middleware.SecurityHeadersMiddleware",
+    "csp.middleware.CSPMiddleware",
 ]
 
 MODE = os.environ.get("MODE")
@@ -334,10 +335,6 @@ def SITE_URL():
         "JWT_COOKIE_SAMESITE": "Lax",
     })
 
-    CSRF_COOKIE_SECURE = True
-    CSRF_COOKIE_HTTPONLY = True
-    CSRF_COOKIE_SAMESITE = 'Lax'
-
     SECURE_BROWSER_XSS_FILTER = True
     SECURE_CONTENT_TYPE_NOSNIFF = True
     SECURE_HSTS_SECONDS = 63072000
@@ -659,3 +656,29 @@ def SITE_URL():
 PASSWORD_SYMBOLS = int(os.getenv('PASSWORD_SYMBOLS', 1))
 
 IS_UNIT_TEST_ENV = 'test' in sys.argv
+
+# CSRF settings
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+# session cookie validity = 8 hours
+SESSION_COOKIE_AGE = 28800
+SESSION_COOKIE_NAME = "openimis_session"
+
+# CORS settings
+CORS_ALLOW_CREDENTIALS = True
+
+# Cookie settings
+CSRF_COOKIE_NAME = 'csrftoken'
+CSRF_USE_SESSIONS = True
+SESSION_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
+CSRF_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
+CSRF_COOKIE_HTTPONLY = False  # False if you need to access it from JavaScript
+
+USER_AGENT_CSRF_BYPASS = []
+
+CSP_DEFAULT_SRC = ["'self'"]
+CSP_SCRIPT_SRC = ["'self'"]
+CSP_STYLE_SRC = ["'self'"]
+CSP_IMG_SRC = ["'self'", "data:"]  # Allows images from the same origin and base64 encoded images
+CSP_FRAME_ANCESTORS = ["'self'"]
+

requirements.txt

@@ -32,7 +32,7 @@ waitress
 wheel
 whitenoise
 django-health-check
-requests~=2.32.0
+requests~=2.32.0
 apscheduler==3.10.1
 # As from v0.4, Django-apscheduler has a migration that is incompatible with SQL Server
 # (autoincrement int => bigint) so we are using our own fork with a squashed migration
@@ -57,3 +57,4 @@ django-opensearch-dsl==0.5.1
 zxcvbn~=4.4.28
 password-validator==1.0
 django-axes==6.4.0
+django-csp