为什么我会收到这些 Django 安全警告,但团队中的其他开发人员却没有
[英]Why am I getting these Django security warnings, but not other developers on the team
问题描述
I am currently getting the following Django security warnings when running makemigrations:
我目前在运行 makemigrations 时收到以下 Django 安全警告:
System check identified some issues:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.(security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.
followed by a set of other warnings.随后是一组其他警告。 I plan on addressing these warnings, but I don't understand why everyone else on my team does not get these warnings.我计划解决这些警告,但我不明白为什么我团队中的其他人都没有收到这些警告。 I am using a Python virtualenv.我正在使用 Python virtualenv。 Does anyone have any ideas why I am the only one getting these warnings?有没有人知道为什么我是唯一一个收到这些警告的人?
I've also verified I don't get these warnings using another computer, it is only my development machine.我还确认我没有使用另一台计算机收到这些警告,它只是我的开发机器。
3 个解决方案
解决方案1
2 2016-04-07 03:29:36
It's probably the version of Django you're using.这可能是您使用的 Django 版本。 Version 1.8 and later use HSTS . 1.8 及更高版本使用 HSTS 。
解决方案2
2 2019-11-20 09:27:16
The first warning is about the HSTS header which prevents browsers from accessing the data in HTTP.第一个警告是关于 HSTS 标头,它阻止浏览器访问 HTTP 中的数据。 It is typically set to 1 year ie 31536000 seconds.它通常设置为 1 年,即 31536000 秒。 But under testing conditions you might prefer using a lower value like 60 sec or 3600 sec.但在测试条件下,您可能更喜欢使用较低的值,例如 60 秒或 3600 秒。
SECURE_HSTS_SECONDS = 31536000
The second warning is to prevent sniffing attacks.第二个警告是防止嗅探攻击。 This can be prevented by adding the following line in your settings.py这可以通过在 settings.py 中添加以下行来防止
SECURE_CONTENT_TYPE_NOSNIFF = True
Documentations :文件:
- On HSTS Settings ( here)关于 HSTS 设置( 此处)
- On NOSNIFF 关于 NOSNIFF
- Other Security Middlewares 其他安全中间件
解决方案3
0 已采纳 2016-04-07 05:26:16
Seems like django version upgraded but not your middlewares.似乎升级了 django 版本,但没有升级您的中间件。 Make sure securitymiddleware is between them.确保安全中间件在它们之间。
More info https://docs.djangoproject.com/en/3.2/topics/http/middleware/更多信息https://docs.djangoproject.com/en/3.2/topics/http/middleware/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.