Don't apply baseline CSRF settings in beta (#6619)

Until our beta admin site is converted to https, we can't apply baseline CSRF settings
cfpb · Aug 24, 2021 · 2670da6 · 2670da6
1 parent ec59405
commit 2670da6
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/cfgov/cfgov/settings/base.py b/cfgov/cfgov/settings/base.py
@@ -890,13 +890,15 @@
 
 
 # Django 2.2 Baseline required settings
-SESSION_COOKIE_SECURE = True
-CSRF_COOKIE_SECURE = True
-CSRF_COOKIE_HTTPONLY = True
-SECURE_BROWSER_XSS_FILTER = True
-SECURE_HSTS_SECONDS = 600
-SECURE_CONTENT_TYPE_NOSNIFF = True
-
+# exempt beta from CSRF settings until it's converted to https
+
+if DEPLOY_ENVIRONMENT != "beta":
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_HTTPONLY = True
+    CSRF_COOKIE_SECURE = True
+    SECURE_BROWSER_XSS_FILTER = True
+    SECURE_HSTS_SECONDS = 600
+    SECURE_CONTENT_TYPE_NOSNIFF = True
 
 # Cache Settings
 CACHES = {