From f3232cc5df9e28a7c13920c2198745afbb3cb944 Mon Sep 17 00:00:00 2001
From: Philip Sargent <philip.sargent@klebos.com>
Date: Sat, 20 Jun 2020 23:08:34 +0100
Subject: More security, middleware upgrade, dj-reg.2.5

---
 settings.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'settings.py')

diff --git a/settings.py b/settings.py
index 51c2633..83ce1b3 100644
--- a/settings.py
+++ b/settings.py
@@ -95,6 +95,11 @@ SMART_APPEND_SLASH = True
 SECRET_KEY = "not-the-real-secret-key-a#vaeozn0---^fj!355qki*vj2"
 
 LOGIN_REDIRECT_URL = '/'
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+#SESSION_COOKIE_SECURE = True # if enabled, cannot login to Django control panel
+CSRF_COOKIE_SECURE = True
+X_FRAME_OPTIONS = 'SAMEORIGIN'  # change to "DENY" after we eliminate all the iframes in use.
 
 INSTALLED_APPS = (
     'django.contrib.admin',
@@ -102,7 +107,7 @@ INSTALLED_APPS = (
     'django.contrib.contenttypes',
     'django.contrib.sessions',
     'django.contrib.messages',
-#    'django.contrib.staticfiles',
+#    'django.contrib.staticfiles', # apparently not working. Using workarounds with flatpages
     'registration',
     'troggle.profiles',
     'troggle.core',
@@ -110,6 +115,7 @@ INSTALLED_APPS = (
 )
 
 MIDDLEWARE_CLASSES = (
+    'django.middleware.security.SecurityMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
-- 
cgit v1.2.3