I haven't forgotten about this, but it'll likely be another day or two
before I can lay out a proper plan.
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving e
Hi Curtis,
It sounds like James is going to get things rolling, but to answer your
question the third-party app we set up to get to A+ on securityheaders.com
integrated
the following:
1. Adds the 'Referrer-Policy' header with a default policy of
'same-origin'
2. Adds the 'Feature-Po
On Mon, Jul 15, 2019 at 10:27 PM Curtis Maloney wrote:
> I think there is certainly a strong case based on "secure by default" to
> include this in core, where it would otherwise face the "it works fine as a
> 3rd party app" barrier to entry.
>
> IMHO it would require, however, that the solutions
I think there is certainly a strong case based on "secure by default" to
include this in core, where it would otherwise face the "it works fine as a 3rd
party app" barrier to entry.
IMHO it would require, however, that the solutions be sufficiently generic as
to not enforce an overly restrictiv
Hi all,
Sorry for jumping in on an old thread, but I stumbled across James' post
after writing a similar wish list. Securityheaders.com (and the Mozilla
http-observatory) score an out-of-the-box Django site fairly harshly. With
that in mind, me and a colleague put together a very simple packa
If anyone feels competent to review, there's a PR open now for the first
part of this, adding Referrer-Policy support:
https://github.com/django/django/pull/9953
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" gr
Hey James,
I think these ideas are fantastic.
I used EmberJS for a project and the development server contained a built
in CSP report URL which just printed what the browser sent to the console.
This was very useful during development as you could immediately see CSP
errors that were triggered ra
Regarding CSP, I'd like to point to this thread from a year ago, "Django
and CSP strict-dynamic",
https://groups.google.com/forum/#!topic/django-developers/n--RWhLAoYM.
Unfortunately I haven't had time to follow through on it (yet?).
I think `strict-dynamic` provides an avenue for on-by-default CS
On Thursday, 3 May 2018 05:27:11 UTC+1, Josh Smeaton wrote:
>
> As Jacob mentioned, CSP can be quite scary, and sounds like something a
> novice could try to implement for "good security" and end up causing way
> more issues.
>
Perhaps documenting some of the new (and more accessible) CSP toolin
Most of this sounds really good. As Jacob mentioned, CSP can be quite
scary, and sounds like something a novice could try to implement for "good
security" and end up causing way more issues. I'd really like to see easy
integration for report only mode, with controls that are harder to turn for
Great ideas, James. I totally agree we shouldn't rest on our laurels, and
love the goal of pushing things forwards. Overall, I'm not sure a DEP is
needed: each of these things is fairly small and tightly scoped, can be
implemented on its own, and provides value independent of the whole. That
seems
I've written this up in pseudo-DEP format partly for ease of
organization, and partly because I'm unsure whether it would require a
DEP. Right now I'm just throwing it out here as a proposal, and
offering to work on implementing it; if you have questions, concerns,
or suggestions for things to add
12 matches
Mail list logo