Skip to content

Commit

Permalink
Adds CSP header (frame-ancestors 'self') to django settings (gitcoinc…
Browse files Browse the repository at this point in the history
  • Loading branch information
gdixon committed Feb 1, 2021
1 parent 7dcab26 commit ef9a1c7
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
5 changes: 5 additions & 0 deletions app/app/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@

# Application definition
INSTALLED_APPS = [
'csp',
'corsheaders',
'django.contrib.admin',
'taskapp.celery.CeleryConfig',
Expand Down Expand Up @@ -152,6 +153,7 @@
]

MIDDLEWARE = [
'csp.middleware.CSPMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
Expand Down Expand Up @@ -738,6 +740,9 @@ def callback(request):
if not AWS_S3_OBJECT_PARAMETERS:
AWS_S3_OBJECT_PARAMETERS = {'CacheControl': f'max-age={AWS_S3_CACHE_MAX_AGE}', }

CSP_DEFAULT_SRC = False
CSP_FRAME_ANCESTORS = 'self'

CORS_ORIGIN_ALLOW_ALL = False
CORS_ORIGIN_WHITELIST = ('sumo.com', 'load.sumo.com', 'googleads.g.doubleclick.net', 'gitcoin.co', 'github.com',)
CORS_ORIGIN_WHITELIST = CORS_ORIGIN_WHITELIST + (AWS_S3_CUSTOM_DOMAIN, MEDIA_CUSTOM_DOMAIN,)
Expand Down
1 change: 1 addition & 0 deletions requirements/base.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ cryptography==2.3
celery==4.4.0
django-celery-beat==1.1.1
django==2.2.4
django-csp==3.7
django-cors-headers==2.4.0
django-filter==2.0.0
django-haystack
Expand Down

0 comments on commit ef9a1c7

Please sign in to comment.