Craig Loftus
Server
Django
TLS
Security headers
Certification Authority Authorization
example.org. CAA 128 issue "letsencrypt.org"
Not a hard technical control
Certificate Transparency
Tries to fix certificate revocation...
Enforce with Must-Staple
By default
$ ./manage.py check --deploy
X_FRAME_OPTIONS = 'DENY'
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "static.example.com")
CSP_IMG_SRC = ("*",)
$ pip install django-csp
csp.middleware.CSPMiddleware
Mitigate cross site scripting attacks by blocking resources
CSP_DEFAULT_SRC = ("'none'",)
CSP_REPORT_ONLY = True
CSP_REPORT_URI = "{wizard url}"
Migrating existing be daunting
CSP_UPGRADE_INSECURE_REQUESTS = True
CSP_BLOCK_ALL_MIXED_CONTENT = True
'unsafe-inline'
'unsafe-eval'
Don't be Mozilla
REFERRER_POLICY = "same-origin"
$ pip install django-referrer-policy
django_referrer_policy.middleware.ReferrerPolicyMiddleware
How and when to send the Referer header
FEATURE_POLICY = {
'geolocation': 'none',
'usb': 'none',
}
$ pip install django-feature-policy
django_feature_policy.FeaturePolicyMiddleware
Lets you turn off browser features