- Bump statsd package version to 3.3.0 (required by talisker for
configuring the statsd client)
- Add talisker.django.middleware
After this, talisker can be configured using a STATSD_DSN env var to
send out various metrics to statsd. Currently those will be timers and
counters for views; example counter:
This also results in an X-View-Name response header being added.
Example:
X-View-Name: account-index
Enabling the metrics sending part requires adding a proper STATSD_DSN
env var to talisker's execution env. Later more metrics can be added by
switching to use talisker provided `requests` session for example.
Maybe later, we can look into replacing the django_statsd based
PistonRequestTimingMiddleware metrics by these talisker provided ones.
They have a bit different naming structure (but it might be a win just
letting talisker decide here).
In most cases this is adding the MiddlewareMixin to our custom
middleware classes. Plus a version bump for django-honeypot that brings
the new style middleware compatibility.
Other middleware used (django and other 3rd party middleware) was already
compatible.
- `SECURE_CONTENT_TYPE_NOSNIFF = True` adds the
`x-content-type-options: nosniff` response header
- SECURE_HSTS_SECONDS and SECURE_HSTS_INCLUDE_SUBDOMAINS are also supported. As
a side note: It looks like for SSO, HSTS might be configured in its reverse
proxies, since the max-age values differ between what's being server by
login.ubuntu.com and the value that exists in SSO's django settings. Also,
SECURE_HSTS_PRELOAD is not configured in SSO's django settings but `preload`
exists in responses from login.ubuntu.com.
- SECURE_SSL_REDIRECT (set to None currently) is also supported
- SECURE_FRAME_DENY is being dropped in this change as the behavior is already
being overriden by Django's XFrameOptionsMiddleware configured in SSO.
Functionally nothing changes and `X-Frame-Options: SAMEORIGIN` header is being
added to responses`. This setting was set to None and it does not exist
outside of djangosecure's middleware.
This change also puts the SecurityMiddleware first in the middleware's list.
The metric includes the device type (automatically-added backup devices
have the fake "paper_auto" type) and subtype (for OATH devices which
can be TOTP or HOTP)