我正在运行makemigrations时收到以下Django安全警告:
System check identified some issues:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.(security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.
后面跟着一组其他警告。我计划解决这些警告,但我不明白为什么我团队中的其他人都没有收到这些警告。我正在使用Python virtualenv。有没有人有任何想法为什么我是唯一一个得到这些警告的人?
我还验证了我没有使用另一台计算机获得这些警告,它只是我的开发机器。
答案 0 :(得分:1)
它可能是您正在使用的Django版本。 Version 1.8 and later use HSTS
答案 1 :(得分:0)
似乎升级了django版本但不是你的中间件。确保安全中间件位于它们之间。
更多信息 https://docs.djangoproject.com/en/1.9/topics/http/middleware/
答案 2 :(得分:0)
第一个警告是关于HSTS标头的,它会阻止浏览器访问HTTP中的数据。通常设置为1年,即31536000秒。但是在测试条件下,您可能更喜欢使用较低的值,例如60秒或3600秒。
SECURE_HSTS_SECONDS = 31536000
第二个警告是防止嗅探攻击。可以通过在settings.py
中添加以下行来防止这种情况 SECURE_CONTENT_TYPE_NOSNIFF = True
文档: