[英]Why am I getting these Django security warnings, but not other developers on the team
I am currently getting the following Django security warnings when running makemigrations:我目前在运行 makemigrations 时收到以下 Django 安全警告:
System check identified some issues:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.(security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.
followed by a set of other warnings.随后是一组其他警告。 I plan on addressing these warnings, but I don't understand why everyone else on my team does not get these warnings.
我计划解决这些警告,但我不明白为什么我团队中的其他人都没有收到这些警告。 I am using a Python virtualenv.
我正在使用 Python virtualenv。 Does anyone have any ideas why I am the only one getting these warnings?
有没有人知道为什么我是唯一一个收到这些警告的人?
I've also verified I don't get these warnings using another computer, it is only my development machine.我还确认我没有使用另一台计算机收到这些警告,它只是我的开发机器。
It's probably the version of Django you're using.这可能是您使用的 Django 版本。 Version 1.8 and later use HSTS .
1.8 及更高版本使用 HSTS 。
The first warning is about the HSTS header which prevents browsers from accessing the data in HTTP.第一个警告是关于 HSTS 标头,它阻止浏览器访问 HTTP 中的数据。 It is typically set to 1 year ie 31536000 seconds.
它通常设置为 1 年,即 31536000 秒。 But under testing conditions you might prefer using a lower value like 60 sec or 3600 sec.
但在测试条件下,您可能更喜欢使用较低的值,例如 60 秒或 3600 秒。
SECURE_HSTS_SECONDS = 31536000
The second warning is to prevent sniffing attacks.第二个警告是防止嗅探攻击。 This can be prevented by adding the following line in your settings.py
这可以通过在 settings.py 中添加以下行来防止
SECURE_CONTENT_TYPE_NOSNIFF = True
Documentations :文件:
Seems like django version upgraded but not your middlewares.似乎升级了 django 版本,但没有升级您的中间件。 Make sure securitymiddleware is between them.
确保安全中间件在它们之间。
More info https://docs.djangoproject.com/en/3.2/topics/http/middleware/更多信息https://docs.djangoproject.com/en/3.2/topics/http/middleware/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.