From dd09b71eb4af10d86b8fc8b7bdc357cdcbfcd659 Mon Sep 17 00:00:00 2001
From: Alfredo Di Stasio <alfredo.distasio@unina.it>
Date: Tue, 10 Mar 2026 16:04:02 +0100
Subject: [PATCH] Harden production settings safety checks and docs

---
 .env.example                  | 12 ++++++-
 README.md                     | 16 +++++++++
 config/settings/base.py       | 32 +++++++++++++++--
 config/settings/production.py | 30 +++++++++++++++-
 tests/test_settings_safety.py | 68 +++++++++++++++++++++++++++++++++++
 5 files changed, 153 insertions(+), 5 deletions(-)
 create mode 100644 tests/test_settings_safety.py

diff --git a/.env.example b/.env.example
index 92c2f74..5548422 100644
--- a/.env.example
+++ b/.env.example
@@ -1,7 +1,7 @@
 # Django
 DJANGO_SETTINGS_MODULE=config.settings.development
 DJANGO_ENV=development
-# Required to be a strong, unique value when DJANGO_DEBUG=0.
+# Required to be a strong, unique value outside development.
 DJANGO_SECRET_KEY=change-me-in-production
 DJANGO_DEBUG=1
 DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
@@ -36,6 +36,16 @@ GUNICORN_WORKERS=3
 # Production-minded security toggles
 DJANGO_SECURE_SSL_REDIRECT=1
 DJANGO_SECURE_HSTS_SECONDS=31536000
+DJANGO_SESSION_COOKIE_SAMESITE=Lax
+DJANGO_CSRF_COOKIE_SAMESITE=Lax
+
+# Mandatory production variables (example values):
+# DJANGO_SETTINGS_MODULE=config.settings.production
+# DJANGO_ENV=production
+# DJANGO_DEBUG=0
+# DJANGO_SECRET_KEY=<strong-unique-secret-at-least-32-chars>
+# DJANGO_ALLOWED_HOSTS=app.example.com
+# DJANGO_CSRF_TRUSTED_ORIGINS=https://app.example.com
 
 # Providers / ingestion
 PROVIDER_BACKEND=demo
diff --git a/README.md b/README.md
index 647510b..dc2e344 100644
--- a/README.md
+++ b/README.md
@@ -181,6 +181,12 @@ When `DJANGO_DEBUG=0`, startup fails fast unless:
 - `DJANGO_ALLOWED_HOSTS` is set
 - `DJANGO_CSRF_TRUSTED_ORIGINS` is set (for production settings)
 
+Additional production safety checks:
+
+- `DJANGO_SECRET_KEY` must be strong and non-default in non-development environments
+- `DJANGO_ALLOWED_HOSTS` must not contain localhost-style values
+- `DJANGO_CSRF_TRUSTED_ORIGINS` must be explicit HTTPS origins only (no localhost/http)
+
 Production settings enable hardened defaults such as:
 
 - secure cookies
@@ -188,6 +194,16 @@ Production settings enable hardened defaults such as:
 - security headers
 - `ManifestStaticFilesStorage` for static asset integrity/versioning
 
+### Production Configuration Checklist
+
+- `DJANGO_SETTINGS_MODULE=config.settings.production`
+- `DJANGO_ENV=production`
+- `DJANGO_DEBUG=0`
+- strong `DJANGO_SECRET_KEY` (unique, non-default, >= 32 chars)
+- explicit `DJANGO_ALLOWED_HOSTS` (no localhost values)
+- explicit `DJANGO_CSRF_TRUSTED_ORIGINS` with HTTPS origins only
+- `DJANGO_SECURE_SSL_REDIRECT=1` and `DJANGO_SECURE_HSTS_SECONDS` set appropriately
+
 ## Superuser and Auth
 
 Create superuser:
diff --git a/config/settings/base.py b/config/settings/base.py
index 25b3c73..036f299 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -1,8 +1,10 @@
 from pathlib import Path
+import logging
 import os
 from django.core.exceptions import ImproperlyConfigured
 
 BASE_DIR = Path(__file__).resolve().parent.parent.parent
+settings_logger = logging.getLogger("config.settings")
 
 
 def env_bool(key: str, default: bool = False) -> bool:
@@ -20,15 +22,39 @@ def env_list(key: str, default: str = "") -> list[str]:
 DJANGO_ENV = os.getenv("DJANGO_ENV", "development").strip().lower()
 SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "insecure-development-secret")
 DEBUG = env_bool("DJANGO_DEBUG", False)
+IS_DEVELOPMENT_ENV = DJANGO_ENV in {"development", "local", "dev"}
 ALLOWED_HOSTS = env_list("DJANGO_ALLOWED_HOSTS", "localhost,127.0.0.1")
 CSRF_TRUSTED_ORIGINS = env_list(
     "DJANGO_CSRF_TRUSTED_ORIGINS", "http://localhost,http://127.0.0.1"
 )
 
-if not DEBUG and SECRET_KEY in {"", "insecure-development-secret", "change-me-in-production"}:
-    raise ImproperlyConfigured("DJANGO_SECRET_KEY must be set to a strong value when DEBUG=0.")
+DEFAULT_SECRET_KEY_MARKERS = {"", "insecure-development-secret", "change-me-in-production"}
+
+
+def raise_config_error(message: str) -> None:
+    settings_logger.critical("Configuration error: %s", message)
+    raise ImproperlyConfigured(message)
+
+
+def is_secret_key_unsafe(secret_key: str) -> bool:
+    if secret_key in DEFAULT_SECRET_KEY_MARKERS:
+        return True
+    if len(secret_key) < 32:
+        return True
+    lower = secret_key.lower()
+    return "change-me" in lower or "insecure" in lower or "default" in lower
+
+
+if (not IS_DEVELOPMENT_ENV or not DEBUG) and is_secret_key_unsafe(SECRET_KEY):
+    raise_config_error(
+        "DJANGO_SECRET_KEY is unsafe. Set a strong, unique value for non-development environments."
+    )
+
 if not DEBUG and not ALLOWED_HOSTS:
-    raise ImproperlyConfigured("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
+    raise_config_error("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
+
+if not DEBUG and "*" in ALLOWED_HOSTS:
+    raise_config_error("DJANGO_ALLOWED_HOSTS must not contain '*' when DEBUG=0.")
 
 INSTALLED_APPS = [
     "django.contrib.admin",
diff --git a/config/settings/production.py b/config/settings/production.py
index 1b91fc1..d9602b2 100644
--- a/config/settings/production.py
+++ b/config/settings/production.py
@@ -1,5 +1,6 @@
 from .base import *  # noqa: F403,F401
 import os
+from urllib.parse import urlparse
 from django.core.exceptions import ImproperlyConfigured
 
 DEBUG = False
@@ -20,8 +21,35 @@ SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_SAMESITE = os.getenv("DJANGO_SESSION_COOKIE_SAMESITE", "Lax")
 CSRF_COOKIE_SAMESITE = os.getenv("DJANGO_CSRF_COOKIE_SAMESITE", "Lax")
 
+def _is_local_host(hostname: str | None) -> bool:
+    return (hostname or "").lower() in {"localhost", "127.0.0.1", "::1", "0.0.0.0"}
+
+
+def _is_safe_csrf_origin(origin: str) -> bool:
+    parsed = urlparse(origin)
+    if parsed.scheme != "https":
+        return False
+    return not _is_local_host(parsed.hostname)
+
+
 if not CSRF_TRUSTED_ORIGINS:  # noqa: F405
-    raise ImproperlyConfigured("DJANGO_CSRF_TRUSTED_ORIGINS must be set for production.")
+    raise ImproperlyConfigured("DJANGO_CSRF_TRUSTED_ORIGINS must be explicitly set for production.")
+
+invalid_origins = [origin for origin in CSRF_TRUSTED_ORIGINS if not _is_safe_csrf_origin(origin)]  # noqa: F405
+if invalid_origins:
+    joined = ", ".join(invalid_origins)
+    raise ImproperlyConfigured(
+        "DJANGO_CSRF_TRUSTED_ORIGINS contains unsafe values for production. "
+        f"Use explicit HTTPS origins only. Invalid: {joined}"
+    )
+
+unsafe_hosts = [host for host in ALLOWED_HOSTS if host in {"localhost", "127.0.0.1", "::1", "0.0.0.0"}]  # noqa: F405
+if unsafe_hosts:
+    joined = ", ".join(unsafe_hosts)
+    raise ImproperlyConfigured(
+        "DJANGO_ALLOWED_HOSTS contains localhost-style values in production. "
+        f"Invalid: {joined}"
+    )
 
 STORAGES = {
     "default": {
diff --git a/tests/test_settings_safety.py b/tests/test_settings_safety.py
new file mode 100644
index 0000000..512a2cc
--- /dev/null
+++ b/tests/test_settings_safety.py
@@ -0,0 +1,68 @@
+import os
+import subprocess
+import sys
+
+import pytest
+
+
+def _import_settings_module(module: str, env_overrides: dict[str, str]) -> subprocess.CompletedProcess:
+    env = os.environ.copy()
+    env.update(env_overrides)
+    command = [
+        sys.executable,
+        "-c",
+        (
+            "import importlib; "
+            f"importlib.import_module('{module}'); "
+            "print('import-ok')"
+        ),
+    ]
+    return subprocess.run(command, capture_output=True, text=True, env=env, check=False)
+
+
+@pytest.mark.django_db
+def test_production_settings_reject_default_secret_key():
+    result = _import_settings_module(
+        "config.settings.production",
+        {
+            "DJANGO_ENV": "production",
+            "DJANGO_DEBUG": "0",
+            "DJANGO_SECRET_KEY": "change-me-in-production",
+            "DJANGO_ALLOWED_HOSTS": "app.example.com",
+            "DJANGO_CSRF_TRUSTED_ORIGINS": "https://app.example.com",
+        },
+    )
+    assert result.returncode != 0
+    assert "DJANGO_SECRET_KEY is unsafe" in (result.stderr + result.stdout)
+
+
+@pytest.mark.django_db
+def test_production_settings_reject_localhost_csrf_origins():
+    result = _import_settings_module(
+        "config.settings.production",
+        {
+            "DJANGO_ENV": "production",
+            "DJANGO_DEBUG": "0",
+            "DJANGO_SECRET_KEY": "A-very-strong-secret-key-for-production-environment-12345",
+            "DJANGO_ALLOWED_HOSTS": "app.example.com",
+            "DJANGO_CSRF_TRUSTED_ORIGINS": "http://localhost,https://app.example.com",
+        },
+    )
+    assert result.returncode != 0
+    assert "DJANGO_CSRF_TRUSTED_ORIGINS contains unsafe values" in (result.stderr + result.stdout)
+
+
+@pytest.mark.django_db
+def test_development_settings_allow_local_defaults():
+    result = _import_settings_module(
+        "config.settings.development",
+        {
+            "DJANGO_ENV": "development",
+            "DJANGO_DEBUG": "1",
+            "DJANGO_SECRET_KEY": "insecure-development-secret",
+            "DJANGO_ALLOWED_HOSTS": "localhost,127.0.0.1",
+            "DJANGO_CSRF_TRUSTED_ORIGINS": "http://localhost,http://127.0.0.1",
+        },
+    )
+    assert result.returncode == 0
+    assert "import-ok" in result.stdout