Skip to content

PPHA-682: add csp and hsts #347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Themitchell wants to merge 2 commits into
base: main
Choose a base branch
from
Open

PPHA-682: add csp and hsts #347

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d9c6bad
PPHA-682: Add strict Content Security Policy
Themitchell Mar 10, 2026
71355d5
PPHA-682: Add HSTS settings
Themitchell Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 21 additions & 11 deletions lung_cancer_screening/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import sys
from os import environ
from pathlib import Path
from django.utils.csp import CSP

from jinja2 import ChainableUndefined

Expand Down Expand Up @@ -73,15 +74,16 @@ def pem_key_env(key, file_path_key=None):
]

MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
"django.middleware.security.SecurityMiddleware",
"whitenoise.middleware.WhiteNoiseMiddleware",
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"lung_cancer_screening.questions.middleware.session_timeout.SessionTimeoutMiddleware",
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"django.middleware.csp.ContentSecurityPolicyMiddleware",
]

ROOT_URLCONF = 'lung_cancer_screening.urls'
Expand Down Expand Up @@ -274,13 +276,21 @@ def pem_key_env(key, file_path_key=None):
LOGIN_REDIRECT_URL_FAILURE = "/agree-to-share-information"
ALLOW_LOGOUT_GET_METHOD = True

DISABLE_RECENT_SUBMISSION_LIMITATION = boolean_env("DISABLE_RECENT_SUBMISSION_LIMITATION", default=False)

COMMIT_SHA = environ.get("COMMIT_SHA", "unknown")

SECURE_CSP = {
"default-src": [CSP.SELF],
"font-src": (CSP.SELF, "https://assets.nhs.uk"),
"script-src": (CSP.SELF, "'unsafe-inline'"),
}

# Additional security settings for production
if not DEBUG:
SECURE_HSTS_SECONDS = 31536000
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
USE_X_FORWARDED_HOST = True

DISABLE_RECENT_SUBMISSION_LIMITATION = boolean_env("DISABLE_RECENT_SUBMISSION_LIMITATION", default=False)

COMMIT_SHA = environ.get("COMMIT_SHA", "unknown")
Loading