Skip to content

Harden production cookie security#5

Merged
Aurelien7777 merged 1 commit into
masterfrom
fix/production-security-settings
Jun 24, 2026
Merged

Harden production cookie security#5
Aurelien7777 merged 1 commit into
masterfrom
fix/production-security-settings

Conversation

@Aurelien7777

@Aurelien7777 Aurelien7777 commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Modifications

  • ajout de SESSION_COOKIE_SECURE configurable par variable d’environnement ;
  • ajout de CSRF_COOKIE_SECURE configurable par variable d’environnement ;
  • ajout de SECURE_REFERRER_POLICY = "same-origin" ;
  • conservation de valeurs par défaut compatibles avec le développement local en HTTP.

Vérifications

  • python manage.py check : aucun problème ;
  • 26 tests réussis ;
  • couverture : 100 % ;
  • flake8 : aucune erreur ;
  • git diff --check : aucune erreur ;
  • contrôle check --deploy réduit aux avertissements HSTS et redirection HTTPS, gérés séparément par la plateforme de déploiement.

Summary by Sourcery

Harden production cookie and referrer security settings based on environment configuration.

New Features:

  • Make SESSION_COOKIE_SECURE configurable via environment variable with a development-friendly default.
  • Make CSRF_COOKIE_SECURE configurable via environment variable with a development-friendly default.

Enhancements:

  • Set SECURE_REFERRER_POLICY to "same-origin" to improve referrer privacy in production.

@sourcery-ai

sourcery-ai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Makes Django cookie-related security settings configurable via environment variables and tightens default referrer policy for production while preserving HTTP-friendly defaults for local development.

Flow diagram for environment-based cookie security settings

flowchart LR
  subgraph Environment
    env_session[ENV SESSION_COOKIE_SECURE]
    env_csrf[ENV CSRF_COOKIE_SECURE]
  end

  subgraph DjangoSettings
    settings_py[settings.py]
    session_secure[SESSION_COOKIE_SECURE]
    csrf_secure[CSRF_COOKIE_SECURE]
    referrer_policy[SECURE_REFERRER_POLICY=same-origin]
  end

  Environment --> settings_py
  env_session --> session_secure
  env_csrf --> csrf_secure
  settings_py --> referrer_policy

  subgraph Runtime
    django[django.middleware]
    cookies[Session and CSRF cookies]
  end

  session_secure --> django
  csrf_secure --> django
  referrer_policy --> django
  django --> cookies
Loading

File-Level Changes

Change Details Files
Make session and CSRF cookies optionally secure based on environment configuration.
  • Introduce SESSION_COOKIE_SECURE setting derived from a SESSION_COOKIE_SECURE environment variable with a default value compatible with local HTTP development.
  • Introduce CSRF_COOKIE_SECURE setting derived from a CSRF_COOKIE_SECURE environment variable with a default value compatible with local HTTP development.
oc_lettings_site/settings.py
Strengthen browser referrer policy for the site.
  • Set SECURE_REFERRER_POLICY to "same-origin" to reduce referrer leakage across origins while remaining safe for production.
oc_lettings_site/settings.py

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • For the boolean cookie settings, consider using a more robust cast from environment variables (e.g., case-insensitive check or distutils.util.strtobool) instead of comparing directly to the string 'True' to avoid subtle configuration mistakes.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- For the boolean cookie settings, consider using a more robust cast from environment variables (e.g., case-insensitive check or `distutils.util.strtobool`) instead of comparing directly to the string 'True' to avoid subtle configuration mistakes.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@Aurelien7777 Aurelien7777 merged commit 946296a into master Jun 24, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant