From 1cb80a83228c481e46bd2613c6b96636fcc5cf13 Mon Sep 17 00:00:00 2001 From: TBS093A Date: Sat, 25 Jul 2020 00:35:56 +0200 Subject: [PATCH] add CSRF and CORS settings --- packages.sh | 1 + portfolio/__pycache__/settings.cpython-36.pyc | Bin 2938 -> 3469 bytes portfolio/settings.py | 35 ++++++++++++++++-- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/packages.sh b/packages.sh index d0e3d00..1681040 100755 --- a/packages.sh +++ b/packages.sh @@ -1,5 +1,6 @@ pip install django +pip install django-cors-headers pip install djangorestframework pip install django-filter pip install django-rest-enumfield diff --git a/portfolio/__pycache__/settings.cpython-36.pyc b/portfolio/__pycache__/settings.cpython-36.pyc index 3b1f65d9238e4092ec5c35834eb70acf4960b433..f6723aaab04f8df7e36a041870aadcd1bd4c0daa 100644 GIT binary patch delta 943 zcmZ8fTTc@~6yBMg-YAroJ5mKjRFIo@z-wt2+6c7iE=tbJrs=nCt6P@rmS}isBF`o! zeKY+5>T4f;^JnzcKj5=Z4wVQxlk?4-Z_YXM&B^>4`7qJA)7RJY)0i;74=TzJ<=jZf z{WEEPg((UYQoz6+Mog}%!)q$3H9>+Y7JD6d9Xy92D}2mOCPg5q2LXyAXfx_XNMfHA zv(#gTu+2slYV=E2NH>BWMA3^rJ0R&eVw8}H1GYkg=tmq03}6sL7{&-jF@|wmzyy-G zh)bBX6EuV=T*ehl<0@uw4cF~34daH*FpD{x<7SJ~22iU=7JT$gJX`B7Oygzz$(^cxjyX-sYuAxR1{yY6s?6VP4RX3F=>W1)-we2}%;wr_Y?U=;d8Z%NtJ0xU zH!D^Nmgk=lHLG56;Zq`O7zK0B+|!F2rjdWH?HEVHm3sYPZE4AI%O$7c`t`My<>lq0 z*nj?5=}^}2sz;@I)!l!$Q1-o7b@z?6PwJ*-(6}h%b%WHxu0er9%1CD^n9;U0Lu>l{ zZu2w$8jY4+&;KK>T~Jk)oH-->#ab0`thXi4T1?Bhc2;;Qi?qLmKCl9(c*$|h(!qgK zEqCwtsn_=0!vnMC!gBoCYn_m3!Y!L-hr2!vov(b_72o6XdwQyb=8MQeBc48KLRL#< zw4%9_+SWRWF0-p^rmpFFF2AGGa5`Vq&3rMpncFd6W^;zNmD7#RP&d*j?&^k?IX%`p z!m0Xo8tA5^wzl#wPpj+yaNC-Z&1dxX`$&L|QtxIlRmhs#dD$%ei{j0lXq;<)?Af3D xB)5WxSzJwq1QUUv8stG1R)dV6&ae=w;3C+JN0ZH|sA$edW6hQ5x`>52`wg7n{lowO delta 424 zcmYjNyGjF56ujr|&2CJGv`MYqx;kwC>_mY2-6XHw!8_(!NgLa;TfM5ZFye6hP zUCAr!AFFz-L%+*5EOwwct_3F$gAE69B#=Z3X}HKB3lBNu(T9HRaT50fC}0pp455Uw zb~uG$O&GzbmKX~qr!mehCbWRUB&JZoG-kAF5N1QAi8GkvEatJ$E9BK}EOsQ8LfIhB zp^9a5S;b0^S9`qHAgwr$b?(E)0r#7}0|o_yL2PpI&uFV7dC0_WV+XsaVK20d!M-U~ zf;<)T2hkJNC^)w^=`47*UZZ106y3(OMNae?f22&g>-avJ7rx(>&35pXtVWk9MTr;D ms+iZdD#1hg#=A38$+$J_C`(CY2NP~FSaI#3=4OH;_wWaP1!1-T diff --git a/portfolio/settings.py b/portfolio/settings.py index b1a4dde..24ceb33 100755 --- a/portfolio/settings.py +++ b/portfolio/settings.py @@ -11,6 +11,7 @@ https://docs.djangoproject.com/en/3.0/ref/settings/ """ import os +from corsheaders.defaults import default_headers, default_methods # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -19,6 +20,30 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # Quick-start development settings - unsuitable for production # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/ +# SECURITY WARNING: CSRF Token for client used in production secret! +CSRF_HEADER_NAME = 'HTTP_X_XSRF_TOKEN' +CSRF_USE_SESSIONS = True + +# SECURITY WARNING: CORS Settings +# CORS_ORIGIN_ALLOW_ALL = True +CORS_ORIGIN_WHITELIST = [ + "http://localhost:8000" +] +CSRF_TRUSTED_ORIGINS = [ + 'localhost:8000' +] +CORS_ALLOW_HEADERS = list(default_headers) + [ + 'authorization' + 'x-csrftoken', +] +CORS_ALLOW_METHODS = list(default_methods) + [ + 'GET', + 'POST', + 'PUT', + 'PATCH', + 'DELETE' +] + # SECURITY WARNING: keep the secret key used in production secret! SECRET_KEY = 'm$*%jdbc!ig9@#9uga-z($v^f9jk_l($y*mrpzz^u@3fnr2q!a' @@ -38,6 +63,7 @@ INSTALLED_APPS = [ 'django.contrib.messages', 'django.contrib.staticfiles', 'django_extensions', + 'corsheaders', 'rest_framework', 'drf_yasg', 'rest_framework.authtoken', @@ -52,6 +78,7 @@ INSTALLED_APPS = [ MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', + 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', @@ -162,7 +189,7 @@ SWAGGER_SETTINGS = { # UML options -# GRAPH_MODELS = { -# 'all_applications': True, -# 'group_models': True, -# } \ No newline at end of file +GRAPH_MODELS = { + 'all_applications': True, + 'group_models': True, +} \ No newline at end of file