From 32cb36b43489c908e698ff6f438d139b78691d69 Mon Sep 17 00:00:00 2001 From: Eric-Butcher Date: Fri, 17 Jan 2025 18:21:47 -0500 Subject: [PATCH 1/2] Fixed the settings to be secure --- .env.example | 4 +++- evergreen/evergreen/settings.py | 27 ++++++++++++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/.env.example b/.env.example index 7757c38..b23cad9 100644 --- a/.env.example +++ b/.env.example @@ -1,4 +1,6 @@ POSTGRES_DB: postgres POSTGRES_USER: username123 # this is insecure - needs to be changed POSTGRES_PASSWORD: password123 # this is insecure - needs to be changed -WAIT_HOSTS: database:5432 \ No newline at end of file +WAIT_HOSTS: database:5432 +DJANGO_SECRET_KEY: replace-with-secrets-token-bytes # this is insecure - needs to be changed +DJANGO_DEBUG: false # must be a boolean \ No newline at end of file diff --git a/evergreen/evergreen/settings.py b/evergreen/evergreen/settings.py index d67ddde..d74af3c 100644 --- a/evergreen/evergreen/settings.py +++ b/evergreen/evergreen/settings.py @@ -11,6 +11,7 @@ """ import os +import secrets import sys from pathlib import Path @@ -18,15 +19,30 @@ BASE_DIR = Path(__file__).resolve().parent.parent -# Quick-start development settings - unsuitable for production +# Many of these configurations were used from Django's +# "Quick-start development settings". Do not assume that any +# values placed withing this file necessarily have a meaning +# that the team has decided on for any particular reason unless +# there are comments explaining so. + + # See https://docs.djangoproject.com/en/5.1/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = "django-insecure-=mwfbc26f&ixkoi@58!3-_)e#)ega^i4(g*l6h7)405_x-_7nu" +high_entropy_number_of_bytes = 64 +SECRET_KEY = os.getenv( + "DJANGO_SECRET_KEY", secrets.token_urlsafe(high_entropy_number_of_bytes) +) # SECURITY WARNING: don't run with debug turned on in production! # THIS HAS TO BE SET TO FALSE TO GET no-sniff headers!!! -DEBUG = False +# the user should supply either "true" or "false" in the .env file +# this statement will convert those string values into the proper +# boolean value, otherwise the value would likely be a non-empty +# string and therefore would always evaluate as truthy in python +# which would be a huge vulnerability as this would possibly +# result in an accidental deployment with the DEBUG set to true +DEBUG: bool = os.getenv("DJANGO_DEBUG", "false").lower() == "true" ALLOWED_HOSTS = ["127.0.0.1", "localhost", "0.0.0.0", "*", "https://localhost"] CSRF_TRUSTED_ORIGINS = ["http://localhost", "https://localhost"] @@ -103,6 +119,11 @@ } } +# When we are testing this overrides the configuration so that it uses sqlite locally +# instead of reaching out to a Postgres db which we have not setup for +# our testing environment This means that Postgres specific db features will not work +# with testing and testing will not be totally accurate until we have switched to using +# Postgres in our testing environment if ( "manage.py" in sys.argv and "test" in sys.argv From c7039ec94e4740c8ac5622e3565fe914cc638faa Mon Sep 17 00:00:00 2001 From: Eric Butcher <107886303+Eric-Butcher@users.noreply.github.com> Date: Sat, 18 Jan 2025 15:22:14 -0500 Subject: [PATCH 2/2] .env.example has trailing newline --- .env.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.env.example b/.env.example index b23cad9..74c56ed 100644 --- a/.env.example +++ b/.env.example @@ -3,4 +3,4 @@ POSTGRES_USER: username123 # this is insecure - needs to be changed POSTGRES_PASSWORD: password123 # this is insecure - needs to be changed WAIT_HOSTS: database:5432 DJANGO_SECRET_KEY: replace-with-secrets-token-bytes # this is insecure - needs to be changed -DJANGO_DEBUG: false # must be a boolean \ No newline at end of file +DJANGO_DEBUG: false # must be a boolean