Commit cbf2503b authored by Linus Lewandowski's avatar Linus Lewandowski

Use Origin checking for security against CSRF.

parent b1ad0a80
......@@ -58,12 +58,12 @@ MIDDLEWARE = [
'aiakos.health.HealthcheckMiddleware',
'django.middleware.security.SecurityMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware',
'django_headers.HeadersMiddleware',
'django_origin.OriginMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django_headers.HeadersMiddleware',
'django_www_authenticate.WWWAuthenticateMiddleware',
'aiakos.multiuser.prepend_user.PrependUser',
]
......
from urllib.parse import urlsplit, urlunsplit
from django.core.exceptions import SuspiciousOperation
from django.conf import settings
BASE_ORIGIN = urlunsplit(urlsplit(settings.BASE_URL)._replace(path=''))
ALLOWED_ORIGINS = [BASE_ORIGIN]
class MissingOrigin(SuspiciousOperation):
pass
class DisallowedOrigin(SuspiciousOperation):
pass
class OriginMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
if request.headers.cookie and request.method != 'GET':
if not request.headers.origin:
raise MissingOrigin()
if request.headers.origin not in ALLOWED_ORIGINS:
raise DisallowedOrigin()
return self.get_response(request)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment