導入
python manage.py check --deployでデプロイ時にどんなセキュリティ脆弱性があるかを示してくれる。
$ python manage.py check --deploy
System check identified some issues:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'X-Content-Type-Options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to True, so your pages will not be served with an 'X-XSS-Protection: 1; mode=block' header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS attacks.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers
to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a
secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.
System check identified 8 issues (0 silenced).
結論
settings.pyの末尾に以下を追加すれば全て解決する
DEPLOY = True
if DEPLOY:
# SECURE_HSTS_SECONDS = 60 # 無知にいじると危険なのでコメントアウト
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
X_FRAME_OPTIONS = "DENY"
SECURE_HSTS_PRELOAD = True
この設定をしたうえでサイトにアクセスできるようにするには、
- 本番環境であること
- サイトがhttps化されていること
が必要になります。
それぞれの解消法
W004の解消法
settings.py
SECURE_HSTS_SECONDS = 60
# SECURE_HSTS_SECONDS = 36000
# SECURE_HSTS_INCLUDE = True
この設定を間違えて行うとサイトが壊れる可能性があるらしい。。。
詳しくはコチラ
W005の解消法
settings.py
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
W006の解消法
settings.py
SECURE_CONTENT_TYPE_NOSNIFF = True
W007の解消法
settings.py
SECURE_BROWSER_XSS_FILTER = True
W008の解消法
settings.py
SECURE_SSL_REDIRECT = True
W0012の解消法
settings.py
SESSION_COOKIE_SECURE = True
W0016の解消法
settings.py
CSRF_COOKIE_SECURE = True
W0018の解消法
settings.py
DEBUG = False
W0019の解消法
settings.py
X_FRAME_OPTIONS = "DENY"
W021の解消法
settings.py
SECURE_HSTS_PRELOAD = True
他にやるべきこと
環境変数を隠しファイルへ保存
参考サイト:【Django】環境変数を効率的に管理する「django-environ」の使い方