Adds CSP header (frame-ancestors 'self') to django settings (gitcoinc…

…o#8324)
gdixon · Feb 1, 2021 · 8b9faef · 8b9faef
1 parent 10bfd0d
commit 8b9faef
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/app/app/settings.py b/app/app/settings.py
@@ -78,6 +78,7 @@
 
 # Application definition
 INSTALLED_APPS = [
+    'csp',
     'corsheaders',
     'django.contrib.admin',
     'taskapp.celery.CeleryConfig',
@@ -152,6 +153,7 @@
 ]
 
 MIDDLEWARE = [
+    'csp.middleware.CSPMiddleware',
     'corsheaders.middleware.CorsMiddleware',
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
@@ -742,6 +744,9 @@ def callback(request):
 if not AWS_S3_OBJECT_PARAMETERS:
     AWS_S3_OBJECT_PARAMETERS = {'CacheControl': f'max-age={AWS_S3_CACHE_MAX_AGE}', }
 
+CSP_DEFAULT_SRC = False
+CSP_FRAME_ANCESTORS = ("'self'")
+
 CORS_ORIGIN_ALLOW_ALL = False
 CORS_ORIGIN_WHITELIST = ('sumo.com', 'load.sumo.com', 'googleads.g.doubleclick.net', 'gitcoin.co', 'github.com',)
 CORS_ORIGIN_WHITELIST = CORS_ORIGIN_WHITELIST + (AWS_S3_CUSTOM_DOMAIN, MEDIA_CUSTOM_DOMAIN,)

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -5,6 +5,7 @@ cryptography==2.3
 celery==4.4.0
 django-celery-beat==1.1.1
 django==2.2.4
+django-csp==3.7
 django-cors-headers==2.4.0
 django-filter==2.0.0
 django-haystack