Merge ~suligap/canonical-identity-provider:drop-djangosecure into canonical-identity-provider:master
Status: | Merged |
---|---|
Approved by: | Przemysław Suliga |
Approved revision: | 57f14a97918ca92f7fb2f5e06aa17217402183c7 |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | ~suligap/canonical-identity-provider:drop-djangosecure |
Merge into: | canonical-identity-provider:master |
Diff against target: |
48 lines (+1/-4) 2 files modified
django_project/settings_base.py (+1/-3) requirements.txt (+0/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Daniel Manrique (community) | Approve | ||
Review via email: mp+384528@code.launchpad.net |
Commit message
Drop deprecated django-secure dependency
Description of the change
djangosecure was mostly swallowed by Django in 1.8:
https:/
And switch to django.
This has the additional benefit of no longer depending on a middleware class
that is not compatible with Django's "new style" MIDDLEWARE:
https:/
Functionally nothing changes with the djangosecure settings we use:
- `SECURE_
`x-xss-
- `SECURE_
`x-content-
- SECURE_HSTS_SECONDS and SECURE_
a side note: It looks like for SSO, HSTS might be configured in its reverse
proxies, since the max-age values differ between what's being server by
login.ubuntu.com and the value that exists in SSO's django settings. Also,
SECURE_
exists in responses from login.ubuntu.com.
- SECURE_SSL_REDIRECT (set to None currently) is also supported
- SECURE_FRAME_DENY is being dropped in this change as the behavior is already
being overriden by Django's XFrameOptionsMi
Functionally nothing changes and `X-Frame-Options: SAMEORIGIN` header is being
added to responses`. This setting was set to None and it does not exist
outside of djangosecure's middleware.
This change also puts the SecurityMiddleware first in the middleware's list.
Brilliant :)