| 6 | |
| 7 | |
| 8 | class SecurityMiddleware(MiddlewareMixin): |
| 9 | def __init__(self, get_response): |
| 10 | super().__init__(get_response) |
| 11 | self.sts_seconds = settings.SECURE_HSTS_SECONDS |
| 12 | self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS |
| 13 | self.sts_preload = settings.SECURE_HSTS_PRELOAD |
| 14 | self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF |
| 15 | self.redirect = settings.SECURE_SSL_REDIRECT |
| 16 | self.redirect_host = settings.SECURE_SSL_HOST |
| 17 | self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT] |
| 18 | self.referrer_policy = settings.SECURE_REFERRER_POLICY |
| 19 | self.cross_origin_opener_policy = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY |
| 20 | |
| 21 | def process_request(self, request): |
| 22 | path = request.path.lstrip("/") |
| 23 | if ( |
| 24 | self.redirect |
| 25 | and not request.is_secure() |
| 26 | and not any(pattern.search(path) for pattern in self.redirect_exempt) |
| 27 | ): |
| 28 | host = self.redirect_host or request.get_host() |
| 29 | return HttpResponsePermanentRedirect( |
| 30 | "https://%s%s" % (host, request.get_full_path()) |
| 31 | ) |
| 32 | |
| 33 | def process_response(self, request, response): |
| 34 | if ( |
| 35 | self.sts_seconds |
| 36 | and request.is_secure() |
| 37 | and "Strict-Transport-Security" not in response |
| 38 | ): |
| 39 | sts_header = "max-age=%s" % self.sts_seconds |
| 40 | if self.sts_include_subdomains: |
| 41 | sts_header += "; includeSubDomains" |
| 42 | if self.sts_preload: |
| 43 | sts_header += "; preload" |
| 44 | response.headers["Strict-Transport-Security"] = sts_header |
| 45 | |
| 46 | if self.content_type_nosniff: |
| 47 | response.headers.setdefault("X-Content-Type-Options", "nosniff") |
| 48 | |
| 49 | if self.referrer_policy: |
| 50 | # Support a comma-separated string or iterable of values to allow |
| 51 | # fallback. |
| 52 | response.headers.setdefault( |
| 53 | "Referrer-Policy", |
| 54 | ",".join( |
| 55 | [v.strip() for v in self.referrer_policy.split(",")] |
| 56 | if isinstance(self.referrer_policy, str) |
| 57 | else self.referrer_policy |
| 58 | ), |
| 59 | ) |
| 60 | |
| 61 | if self.cross_origin_opener_policy: |
| 62 | response.setdefault( |
| 63 | "Cross-Origin-Opener-Policy", |
| 64 | self.cross_origin_opener_policy, |
| 65 | ) |