%global _empty_manifest_terminate_build 0 Name: python-django-security Version: 0.12.0 Release: 1 Summary: A collection of tools to help secure a Django project. License: BSD License URL: https://github.com/sdelements/django-security Source0: https://mirrors.nju.edu.cn/pypi/web/packages/ee/4e/cd1ee5f8005d87b47d2e9313aed8ed700d1ffcdc24b52a57ac4a1a5971d4/django-security-0.12.0.tar.gz BuildArch: noarch %description # Django-Security [![Build Status](https://travis-ci.org/sdelements/django-security.svg?branch=master)](https://travis-ci.org/sdelements/django-security) This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications. # Full documentation Automatically generated documentation of `django-security` is available on Read The Docs: * [Django-security documentation](http://django-security.readthedocs.org/en/latest/) # Requirements * Python >= 3.6 * Django >= 1.11 For Django < 1.8 use django-security==0.9.4. For Django < 1.11 use django-security==0.11.3. Note: For versions prior to 0.10.0, `datetime` objects were being added to the session and required Django's PickleSerializer for (de)serializing. This has now been changed so that the strings of these `datetime`s are being stored instead. If you are still using PickleSerializer for this reason, we suggest switching to Django's default JSONSerializer (default since Django 1.6) for better security. # Installation Install from Python packages repository: pip install django-security If you prefer the latest development version, install from [django-security](https://github.com/sdelements/django-security) repository on GitHub: git clone https://github.com/sdelements/django-security.git cd django-security sudo python setup.py install Adding to Django application's `settings.py` file: INSTALLED_APPS = ( ... 'security', ... ) Pre-Django 1.10, middleware modules can be added to `MIDDLEWARE_CLASSES` list in settings file: MIDDLEWARE_CLASSES = ( ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) After Django 1.10, middleware modules can be added to `MIDDLEWARE` list in settings file: MIDDLEWARE = ( ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) Unlike the modules listed above, some other modules **require** configuration settings, fully described in [django-security documentation](http://django-security.readthedocs.org/en/latest/). Brief description is provided below. ## Middleware Provided middleware modules will modify web application's output and input and in most cases requires no or minimum configuration.

Middleware	Description	Configuration
ClearSiteDataMiddleware	Send Clear-Site-Data header in HTTP response for any page that has been whitelisted. Recommended.	Required.
ContentNoSniff	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_CONTENT_TYPE_NOSNIFF setting. Disable possibly insecure autodetection of MIME types in browsers. Recommended.	None.
ContentSecurityPolicyMiddleware	Send Content Security Policy (CSP) header in HTTP response. Recommended, requires careful tuning.	Required.
DoNotTrackMiddleware	Read user browser's DoNotTrack preference and pass it to application. Recommended, requires implementation in views and templates.	None.
LoginRequiredMiddleware	Requires a user to be authenticated to view any page on the site that hasn't been white listed.	Required.
MandatoryPasswordChangeMiddleware	Redirects any request from an authenticated user to the password change form if that user's password has expired.	Required.
NoConfidentialCachingMiddleware	Adds No-Cache and No-Store headers to confidential pages.	Required.
P3PPolicyMiddleware	DEPRECATED: Will be removed in future releases. Adds the HTTP header attribute specifying compact P3P policy.	Required.
SessionExpiryPolicyMiddleware	Expire sessions on browser close, and on expiry times stored in the cookie itself.	Required.
StrictTransportSecurityMiddleware	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS and SECURE_HSTS_PRELOAD settings. Enforce SSL/TLS connection and disable plaintext fall-back. Recommended for SSL/TLS sites.	Optional.
XFrameOptionsMiddleware	Disable framing of the website, mitigating Clickjacking attacks. Recommended.	Optional.
XssProtectMiddleware	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_BROWSER_XSS_FILTER setting. Enforce browser's Cross Site Scripting protection. Recommended.	None.

## Views `csp_report` View that allows reception of Content Security Policy violation reports sent by browsers in response to CSP header set by ``ContentSecurityPolicyMiddleware`. This should be used only if long term, continuous CSP report analysis is required. For one time CSP setup [CspBuilder](http://cspbuilder.info/) is much simpler. This view can be configured to either log received reports or store them in database. See [documentation](http://django-security.readthedocs.org/en/latest/#security.views.csp_report) for details. `require_ajax` A view decorator which ensures that the request being processed by view is an AJAX request. Example usage: @require_ajax def myview(request): ... ## Models `CspReport` Content Security Policy violation report object. Only makes sense if `ContentSecurityPolicyMiddleware` and `csp_report` view are used. With this model, the reports can be then analysed in Django admin site. `PasswordExpiry` Associate a password expiry date with a user. ## Logging All `django-security` modules send important log messages to `security` facility. The application should configure a handler to receive them: LOGGING = { ... 'loggers': { 'security': { 'handlers': ['console',], 'level': 'INFO', 'propagate': False, 'formatter': 'verbose', }, }, ... } %package -n python3-django-security Summary: A collection of tools to help secure a Django project. Provides: python-django-security BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-pip %description -n python3-django-security # Django-Security [![Build Status](https://travis-ci.org/sdelements/django-security.svg?branch=master)](https://travis-ci.org/sdelements/django-security) This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications. # Full documentation Automatically generated documentation of `django-security` is available on Read The Docs: * [Django-security documentation](http://django-security.readthedocs.org/en/latest/) # Requirements * Python >= 3.6 * Django >= 1.11 For Django < 1.8 use django-security==0.9.4. For Django < 1.11 use django-security==0.11.3. Note: For versions prior to 0.10.0, `datetime` objects were being added to the session and required Django's PickleSerializer for (de)serializing. This has now been changed so that the strings of these `datetime`s are being stored instead. If you are still using PickleSerializer for this reason, we suggest switching to Django's default JSONSerializer (default since Django 1.6) for better security. # Installation Install from Python packages repository: pip install django-security If you prefer the latest development version, install from [django-security](https://github.com/sdelements/django-security) repository on GitHub: git clone https://github.com/sdelements/django-security.git cd django-security sudo python setup.py install Adding to Django application's `settings.py` file: INSTALLED_APPS = ( ... 'security', ... ) Pre-Django 1.10, middleware modules can be added to `MIDDLEWARE_CLASSES` list in settings file: MIDDLEWARE_CLASSES = ( ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) After Django 1.10, middleware modules can be added to `MIDDLEWARE` list in settings file: MIDDLEWARE = ( ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) Unlike the modules listed above, some other modules **require** configuration settings, fully described in [django-security documentation](http://django-security.readthedocs.org/en/latest/). Brief description is provided below. ## Middleware Provided middleware modules will modify web application's output and input and in most cases requires no or minimum configuration.

Middleware	Description	Configuration
ClearSiteDataMiddleware	Send Clear-Site-Data header in HTTP response for any page that has been whitelisted. Recommended.	Required.
ContentNoSniff	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_CONTENT_TYPE_NOSNIFF setting. Disable possibly insecure autodetection of MIME types in browsers. Recommended.	None.
ContentSecurityPolicyMiddleware	Send Content Security Policy (CSP) header in HTTP response. Recommended, requires careful tuning.	Required.
DoNotTrackMiddleware	Read user browser's DoNotTrack preference and pass it to application. Recommended, requires implementation in views and templates.	None.
LoginRequiredMiddleware	Requires a user to be authenticated to view any page on the site that hasn't been white listed.	Required.
MandatoryPasswordChangeMiddleware	Redirects any request from an authenticated user to the password change form if that user's password has expired.	Required.
NoConfidentialCachingMiddleware	Adds No-Cache and No-Store headers to confidential pages.	Required.
P3PPolicyMiddleware	DEPRECATED: Will be removed in future releases. Adds the HTTP header attribute specifying compact P3P policy.	Required.
SessionExpiryPolicyMiddleware	Expire sessions on browser close, and on expiry times stored in the cookie itself.	Required.
StrictTransportSecurityMiddleware	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS and SECURE_HSTS_PRELOAD settings. Enforce SSL/TLS connection and disable plaintext fall-back. Recommended for SSL/TLS sites.	Optional.
XFrameOptionsMiddleware	Disable framing of the website, mitigating Clickjacking attacks. Recommended.	Optional.
XssProtectMiddleware	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_BROWSER_XSS_FILTER setting. Enforce browser's Cross Site Scripting protection. Recommended.	None.

## Views `csp_report` View that allows reception of Content Security Policy violation reports sent by browsers in response to CSP header set by ``ContentSecurityPolicyMiddleware`. This should be used only if long term, continuous CSP report analysis is required. For one time CSP setup [CspBuilder](http://cspbuilder.info/) is much simpler. This view can be configured to either log received reports or store them in database. See [documentation](http://django-security.readthedocs.org/en/latest/#security.views.csp_report) for details. `require_ajax` A view decorator which ensures that the request being processed by view is an AJAX request. Example usage: @require_ajax def myview(request): ... ## Models `CspReport` Content Security Policy violation report object. Only makes sense if `ContentSecurityPolicyMiddleware` and `csp_report` view are used. With this model, the reports can be then analysed in Django admin site. `PasswordExpiry` Associate a password expiry date with a user. ## Logging All `django-security` modules send important log messages to `security` facility. The application should configure a handler to receive them: LOGGING = { ... 'loggers': { 'security': { 'handlers': ['console',], 'level': 'INFO', 'propagate': False, 'formatter': 'verbose', }, }, ... } %package help Summary: Development documents and examples for django-security Provides: python3-django-security-doc %description help # Django-Security [![Build Status](https://travis-ci.org/sdelements/django-security.svg?branch=master)](https://travis-ci.org/sdelements/django-security) This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications. # Full documentation Automatically generated documentation of `django-security` is available on Read The Docs: * [Django-security documentation](http://django-security.readthedocs.org/en/latest/) # Requirements * Python >= 3.6 * Django >= 1.11 For Django < 1.8 use django-security==0.9.4. For Django < 1.11 use django-security==0.11.3. Note: For versions prior to 0.10.0, `datetime` objects were being added to the session and required Django's PickleSerializer for (de)serializing. This has now been changed so that the strings of these `datetime`s are being stored instead. If you are still using PickleSerializer for this reason, we suggest switching to Django's default JSONSerializer (default since Django 1.6) for better security. # Installation Install from Python packages repository: pip install django-security If you prefer the latest development version, install from [django-security](https://github.com/sdelements/django-security) repository on GitHub: git clone https://github.com/sdelements/django-security.git cd django-security sudo python setup.py install Adding to Django application's `settings.py` file: INSTALLED_APPS = ( ... 'security', ... ) Pre-Django 1.10, middleware modules can be added to `MIDDLEWARE_CLASSES` list in settings file: MIDDLEWARE_CLASSES = ( ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) After Django 1.10, middleware modules can be added to `MIDDLEWARE` list in settings file: MIDDLEWARE = ( ... 'security.middleware.DoNotTrackMiddleware', 'security.middleware.ContentNoSniff', 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', ) Unlike the modules listed above, some other modules **require** configuration settings, fully described in [django-security documentation](http://django-security.readthedocs.org/en/latest/). Brief description is provided below. ## Middleware Provided middleware modules will modify web application's output and input and in most cases requires no or minimum configuration.

Middleware	Description	Configuration
ClearSiteDataMiddleware	Send Clear-Site-Data header in HTTP response for any page that has been whitelisted. Recommended.	Required.
ContentNoSniff	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_CONTENT_TYPE_NOSNIFF setting. Disable possibly insecure autodetection of MIME types in browsers. Recommended.	None.
ContentSecurityPolicyMiddleware	Send Content Security Policy (CSP) header in HTTP response. Recommended, requires careful tuning.	Required.
DoNotTrackMiddleware	Read user browser's DoNotTrack preference and pass it to application. Recommended, requires implementation in views and templates.	None.
LoginRequiredMiddleware	Requires a user to be authenticated to view any page on the site that hasn't been white listed.	Required.
MandatoryPasswordChangeMiddleware	Redirects any request from an authenticated user to the password change form if that user's password has expired.	Required.
NoConfidentialCachingMiddleware	Adds No-Cache and No-Store headers to confidential pages.	Required.
P3PPolicyMiddleware	DEPRECATED: Will be removed in future releases. Adds the HTTP header attribute specifying compact P3P policy.	Required.
SessionExpiryPolicyMiddleware	Expire sessions on browser close, and on expiry times stored in the cookie itself.	Required.
StrictTransportSecurityMiddleware	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS and SECURE_HSTS_PRELOAD settings. Enforce SSL/TLS connection and disable plaintext fall-back. Recommended for SSL/TLS sites.	Optional.
XFrameOptionsMiddleware	Disable framing of the website, mitigating Clickjacking attacks. Recommended.	Optional.
XssProtectMiddleware	DEPRECATED: Will be removed in future releases, consider django.middleware.security.SecurityMiddleware via SECURE_BROWSER_XSS_FILTER setting. Enforce browser's Cross Site Scripting protection. Recommended.	None.