bisco/hoopscout
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden production settings safety checks and docs

Browse Source
This commit is contained in:
Alfredo Di Stasio
2026-03-10 16:04:02 +01:00
parent 2586f15ae8
commit dd09b71eb4
5 changed files with 153 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.env.example
View File

@ -1,7 +1,7 @@
# Django
DJANGO_SETTINGS_MODULE=config.settings.development
DJANGO_ENV=development
# Required to be a strong, unique value when DJANGO_DEBUG=0.
# Required to be a strong, unique value outside development.
DJANGO_SECRET_KEY=change-me-in-production
DJANGO_DEBUG=1
DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
@ -36,6 +36,16 @@ GUNICORN_WORKERS=3
# Production-minded security toggles
DJANGO_SECURE_SSL_REDIRECT=1
DJANGO_SECURE_HSTS_SECONDS=31536000
DJANGO_SESSION_COOKIE_SAMESITE=Lax
DJANGO_CSRF_COOKIE_SAMESITE=Lax
# Mandatory production variables (example values):
# DJANGO_SETTINGS_MODULE=config.settings.production
# DJANGO_ENV=production
# DJANGO_DEBUG=0
# DJANGO_SECRET_KEY=<strong-unique-secret-at-least-32-chars>
# DJANGO_ALLOWED_HOSTS=app.example.com
# DJANGO_CSRF_TRUSTED_ORIGINS=https://app.example.com
# Providers / ingestion
PROVIDER_BACKEND=demo

16
README.md
View File

@ -181,6 +181,12 @@ When `DJANGO_DEBUG=0`, startup fails fast unless:
- `DJANGO_ALLOWED_HOSTS` is set
- `DJANGO_CSRF_TRUSTED_ORIGINS` is set (for production settings)
Additional production safety checks:
- `DJANGO_SECRET_KEY` must be strong and non-default in non-development environments
- `DJANGO_ALLOWED_HOSTS` must not contain localhost-style values
- `DJANGO_CSRF_TRUSTED_ORIGINS` must be explicit HTTPS origins only (no localhost/http)
Production settings enable hardened defaults such as:
- secure cookies
@ -188,6 +194,16 @@ Production settings enable hardened defaults such as:
- security headers
- `ManifestStaticFilesStorage` for static asset integrity/versioning
### Production Configuration Checklist
- `DJANGO_SETTINGS_MODULE=config.settings.production`
- `DJANGO_ENV=production`
- `DJANGO_DEBUG=0`
- strong `DJANGO_SECRET_KEY` (unique, non-default, >= 32 chars)
- explicit `DJANGO_ALLOWED_HOSTS` (no localhost values)
- explicit `DJANGO_CSRF_TRUSTED_ORIGINS` with HTTPS origins only
- `DJANGO_SECURE_SSL_REDIRECT=1` and `DJANGO_SECURE_HSTS_SECONDS` set appropriately
## Superuser and Auth
Create superuser:

32
config/settings/base.py
View File

@ -1,8 +1,10 @@
from pathlib import Path
import logging
import os
from django.core.exceptions import ImproperlyConfigured
BASE_DIR = Path(__file__).resolve().parent.parent.parent
settings_logger = logging.getLogger("config.settings")
def env_bool(key: str, default: bool = False) -> bool:
@ -20,15 +22,39 @@ def env_list(key: str, default: str = "") -> list[str]:
DJANGO_ENV = os.getenv("DJANGO_ENV", "development").strip().lower()
SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "insecure-development-secret")
DEBUG = env_bool("DJANGO_DEBUG", False)
IS_DEVELOPMENT_ENV = DJANGO_ENV in {"development", "local", "dev"}
ALLOWED_HOSTS = env_list("DJANGO_ALLOWED_HOSTS", "localhost,127.0.0.1")
CSRF_TRUSTED_ORIGINS = env_list(
"DJANGO_CSRF_TRUSTED_ORIGINS", "http://localhost,http://127.0.0.1"
)
if not DEBUG and SECRET_KEY in {"", "insecure-development-secret", "change-me-in-production"}:
raise ImproperlyConfigured("DJANGO_SECRET_KEY must be set to a strong value when DEBUG=0.")
DEFAULT_SECRET_KEY_MARKERS = {"", "insecure-development-secret", "change-me-in-production"}
def raise_config_error(message: str) -> None:
settings_logger.critical("Configuration error: %s", message)
raise ImproperlyConfigured(message)
def is_secret_key_unsafe(secret_key: str) -> bool:
if secret_key in DEFAULT_SECRET_KEY_MARKERS:
return True
if len(secret_key) < 32:
return True
lower = secret_key.lower()
return "change-me" in lower or "insecure" in lower or "default" in lower
if (not IS_DEVELOPMENT_ENV or not DEBUG) and is_secret_key_unsafe(SECRET_KEY):
raise_config_error(
"DJANGO_SECRET_KEY is unsafe. Set a strong, unique value for non-development environments."
)
if not DEBUG and not ALLOWED_HOSTS:
raise ImproperlyConfigured("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
raise_config_error("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
if not DEBUG and "*" in ALLOWED_HOSTS:
raise_config_error("DJANGO_ALLOWED_HOSTS must not contain '*' when DEBUG=0.")
INSTALLED_APPS = [
"django.contrib.admin",

30
config/settings/production.py
View File

@ -1,5 +1,6 @@
from .base import * # noqa: F403,F401
import os
from urllib.parse import urlparse
from django.core.exceptions import ImproperlyConfigured
DEBUG = False
@ -20,8 +21,35 @@ SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = os.getenv("DJANGO_SESSION_COOKIE_SAMESITE", "Lax")
CSRF_COOKIE_SAMESITE = os.getenv("DJANGO_CSRF_COOKIE_SAMESITE", "Lax")
def _is_local_host(hostname: str | None) -> bool:
return (hostname or "").lower() in {"localhost", "127.0.0.1", "::1", "0.0.0.0"}
def _is_safe_csrf_origin(origin: str) -> bool:
parsed = urlparse(origin)
if parsed.scheme != "https":
return False
return not _is_local_host(parsed.hostname)
if not CSRF_TRUSTED_ORIGINS: # noqa: F405
raise ImproperlyConfigured("DJANGO_CSRF_TRUSTED_ORIGINS must be set for production.")
raise ImproperlyConfigured("DJANGO_CSRF_TRUSTED_ORIGINS must be explicitly set for production.")
invalid_origins = [origin for origin in CSRF_TRUSTED_ORIGINS if not _is_safe_csrf_origin(origin)] # noqa: F405
if invalid_origins:
joined = ", ".join(invalid_origins)
raise ImproperlyConfigured(
"DJANGO_CSRF_TRUSTED_ORIGINS contains unsafe values for production. "
f"Use explicit HTTPS origins only. Invalid: {joined}"
)
unsafe_hosts = [host for host in ALLOWED_HOSTS if host in {"localhost", "127.0.0.1", "::1", "0.0.0.0"}] # noqa: F405
if unsafe_hosts:
joined = ", ".join(unsafe_hosts)
raise ImproperlyConfigured(
"DJANGO_ALLOWED_HOSTS contains localhost-style values in production. "
f"Invalid: {joined}"
)
STORAGES = {
"default": {

68
tests/test_settings_safety.py Normal file
View File

@ -0,0 +1,68 @@
import os
import subprocess
import sys
import pytest
def _import_settings_module(module: str, env_overrides: dict[str, str]) -> subprocess.CompletedProcess:
env = os.environ.copy()
env.update(env_overrides)
command = [
sys.executable,
"-c",
(
"import importlib; "
f"importlib.import_module('{module}'); "
"print('import-ok')"
),
]
return subprocess.run(command, capture_output=True, text=True, env=env, check=False)
@pytest.mark.django_db
def test_production_settings_reject_default_secret_key():
result = _import_settings_module(
"config.settings.production",
{
"DJANGO_ENV": "production",
"DJANGO_DEBUG": "0",
"DJANGO_SECRET_KEY": "change-me-in-production",
"DJANGO_ALLOWED_HOSTS": "app.example.com",
"DJANGO_CSRF_TRUSTED_ORIGINS": "https://app.example.com",
},
)
assert result.returncode != 0
assert "DJANGO_SECRET_KEY is unsafe" in (result.stderr + result.stdout)
@pytest.mark.django_db
def test_production_settings_reject_localhost_csrf_origins():
result = _import_settings_module(
"config.settings.production",
{
"DJANGO_ENV": "production",
"DJANGO_DEBUG": "0",
"DJANGO_SECRET_KEY": "A-very-strong-secret-key-for-production-environment-12345",
"DJANGO_ALLOWED_HOSTS": "app.example.com",
"DJANGO_CSRF_TRUSTED_ORIGINS": "http://localhost,https://app.example.com",
},
)
assert result.returncode != 0
assert "DJANGO_CSRF_TRUSTED_ORIGINS contains unsafe values" in (result.stderr + result.stdout)
@pytest.mark.django_db
def test_development_settings_allow_local_defaults():
result = _import_settings_module(
"config.settings.development",
{
"DJANGO_ENV": "development",
"DJANGO_DEBUG": "1",
"DJANGO_SECRET_KEY": "insecure-development-secret",
"DJANGO_ALLOWED_HOSTS": "localhost,127.0.0.1",
"DJANGO_CSRF_TRUSTED_ORIGINS": "http://localhost,http://127.0.0.1",
},
)
assert result.returncode == 0
assert "import-ok" in result.stdout