Skip to content

Fixed the settings to be secure #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Eric-Butcher merged 2 commits into from
Jan 24, 2025
Merged

Fixed the settings to be secure #84

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
32cb36b
Fixed the settings to be secure
Eric-Butcher Jan 17, 2025
c7039ec
.env.example has trailing newline
Eric-Butcher Jan 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
POSTGRES_DB: postgres
POSTGRES_USER: username123 # this is insecure - needs to be changed
POSTGRES_PASSWORD: password123 # this is insecure - needs to be changed
WAIT_HOSTS: database:5432
WAIT_HOSTS: database:5432
DJANGO_SECRET_KEY: replace-with-secrets-token-bytes # this is insecure - needs to be changed
DJANGO_DEBUG: false # must be a boolean
27 changes: 24 additions & 3 deletions evergreen/evergreen/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,22 +11,38 @@
"""

import os
import secrets
import sys
from pathlib import Path

# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent


# Quick-start development settings - unsuitable for production
# Many of these configurations were used from Django's
# "Quick-start development settings". Do not assume that any
# values placed withing this file necessarily have a meaning
# that the team has decided on for any particular reason unless
# there are comments explaining so.


# See https://docs.djangoproject.com/en/5.1/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = "django-insecure-=mwfbc26f&ixkoi@58!3-_)e#)ega^i4(g*l6h7)405_x-_7nu"
high_entropy_number_of_bytes = 64
SECRET_KEY = os.getenv(
"DJANGO_SECRET_KEY", secrets.token_urlsafe(high_entropy_number_of_bytes)
)

# SECURITY WARNING: don't run with debug turned on in production!
# THIS HAS TO BE SET TO FALSE TO GET no-sniff headers!!!
DEBUG = False
# the user should supply either "true" or "false" in the .env file
# this statement will convert those string values into the proper
# boolean value, otherwise the value would likely be a non-empty
# string and therefore would always evaluate as truthy in python
# which would be a huge vulnerability as this would possibly
# result in an accidental deployment with the DEBUG set to true
DEBUG: bool = os.getenv("DJANGO_DEBUG", "false").lower() == "true"

ALLOWED_HOSTS = ["127.0.0.1", "localhost", "0.0.0.0", "*", "https://localhost"]
CSRF_TRUSTED_ORIGINS = ["http://localhost", "https://localhost"]
Expand Down Expand Up @@ -103,6 +119,11 @@
}
}

# When we are testing this overrides the configuration so that it uses sqlite locally
# instead of reaching out to a Postgres db which we have not setup for
# our testing environment This means that Postgres specific db features will not work
# with testing and testing will not be totally accurate until we have switched to using
# Postgres in our testing environment
if (
"manage.py" in sys.argv
and "test" in sys.argv
Expand Down
Loading