Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

⬆️ update open-api-framework to 8.0.0 #230

Merged
merged 1 commit into from
Aug 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,23 @@
Change history
==============


2.2.0
=====

**New features**

* updated open-api-framework to 0.8.0, which includes adding CSRF, CSP and HSTS settings (#438).
All new environment variables are added to the `documentation <https://objects-and-objecttypes-api.readthedocs.io/en/latest/installation/config.html>`_

.. warning::

``SECURE_HSTS_SECONDS`` has been added with a default of 31536000 seconds, ensure that
before upgrading to this version of open-api-framework, your entire application is served
over HTTPS, otherwise this setting can break parts of your application (see https://docs.djangoproject.com/en/4.2/ref/middleware/#http-strict-transport-security)



2.1.0
=====

Expand Down
18 changes: 15 additions & 3 deletions docs/installation/config.rst
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ Required

* ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool <https://www.miniwebtool.com/django-secret-key-generator>`_.
* ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``.
* ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
* ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
* ``EMAIL_HOST``: hostname for the outgoing e-mail server (this **MUST** be set when using Docker). Defaults to: ``localhost``.


Database
Expand Down Expand Up @@ -49,16 +52,25 @@ Elastic APM
* ``ELASTIC_APM_TRANSACTION_SAMPLE_RATE``: By default, the agent will sample every transaction (e.g. request to your service). To reduce overhead and storage requirements, set the sample rate to a value between 0.0 and 1.0. Defaults to: ``0.1``.


Content Security Policy
-----------------------

* ``CSP_EXTRA_DEFAULT_SRC``: Extra default source URLs for CSP other than ``self``. Used for ``img-src``, ``style-src`` and ``script-src``. Defaults to: ``[]``.
* ``CSP_REPORT_URI``: URI of the``report-uri`` directive. Defaults to: ``None``.
* ``CSP_REPORT_PERCENTAGE``: Percentage of requests that get the ``report-uri`` directive. Defaults to: ``0``.
* ``CSP_EXTRA_FORM_ACTION``: Add additional ``form-action`` source to the default . Defaults to: ``[]``.
* ``CSP_FORM_ACTION``: Override the default ``form-action`` source. Defaults to: ``['"\'self\'"']``.
* ``CSP_EXTRA_IMG_SRC``: Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``. Defaults to: ``[]``.
* ``CSP_OBJECT_SRC``: ``object-src`` urls. Defaults to: ``['"\'none\'"']``.


Optional
--------

* ``SITE_ID``: The database ID of the site object. You usually won't have to touch this. Defaults to: ``1``.
* ``DEBUG``: Only set this to ``True`` on a local development environment. Various other security settings are derived from this setting!. Defaults to: ``False``.
* ``USE_X_FORWARDED_HOST``: whether to grab the domain/host from the X-Forwarded-Host header or not. This header is typically set by reverse proxies (such as nginx, traefik, Apache...). Note: this is a header that can be spoofed and you need to ensure you control it before enabling this. Defaults to: ``False``.
* ``IS_HTTPS``: Used to construct absolute URLs and controls a variety of security settings. Defaults to the inverse of ``DEBUG``.
* ``CACHE_DEFAULT``: redis cache address for the default cache. Defaults to: ``localhost:6379/0``.
* ``CACHE_AXES``: redis cache address for the brute force login protection cache. Defaults to: ``localhost:6379/0``.
* ``EMAIL_HOST``: hostname for the outgoing e-mail server. Defaults to: ``localhost``.
* ``EMAIL_PORT``: port number of the outgoing e-mail server. Note that if you're on Google Cloud, sending e-mail via port 25 is completely blocked and you should use 487 for TLS. Defaults to: ``25``.
* ``EMAIL_HOST_USER``: username to connect to the mail server. Defaults to: ``(empty string)``.
* ``EMAIL_HOST_PASSWORD``: password to connect to the mail server. Defaults to: ``(empty string)``.
Expand Down
5 changes: 4 additions & 1 deletion requirements/base.txt
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ django==4.2.15
# django-appconf
# django-axes
# django-cors-headers
# django-csp
# django-filter
# django-formtools
# django-jsonform
Expand Down Expand Up @@ -111,6 +112,8 @@ django-axes==6.5.1
# via open-api-framework
django-cors-headers==4.4.0
# via open-api-framework
django-csp==3.8
# via open-api-framework
django-filter==24.2
# via
# commonground-api-common
Expand Down Expand Up @@ -228,7 +231,7 @@ mozilla-django-oidc-db==0.19.0
# via open-api-framework
notifications-api-common==0.2.2
# via commonground-api-common
open-api-framework==0.7.1
open-api-framework==0.8.0
# via -r requirements/base.in
orderedmultidict==1.0.1
# via furl
Expand Down
8 changes: 7 additions & 1 deletion requirements/ci.txt
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ django==4.2.15
# django-appconf
# django-axes
# django-cors-headers
# django-csp
# django-filter
# django-formtools
# django-jsonform
Expand Down Expand Up @@ -200,6 +201,11 @@ django-cors-headers==4.4.0
# -c requirements/base.txt
# -r requirements/base.txt
# open-api-framework
django-csp==3.8
# via
# -c requirements/base.txt
# -r requirements/base.txt
# open-api-framework
django-filter==24.2
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -487,7 +493,7 @@ notifications-api-common==0.2.2
# -c requirements/base.txt
# -r requirements/base.txt
# commonground-api-common
open-api-framework==0.7.1
open-api-framework==0.8.0
# via
# -c requirements/base.txt
# -r requirements/base.txt
Expand Down
8 changes: 7 additions & 1 deletion requirements/dev.txt
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ django==4.2.15
# django-appconf
# django-axes
# django-cors-headers
# django-csp
# django-debug-toolbar
# django-extensions
# django-filter
Expand Down Expand Up @@ -230,6 +231,11 @@ django-cors-headers==4.4.0
# -c requirements/ci.txt
# -r requirements/ci.txt
# open-api-framework
django-csp==3.8
# via
# -c requirements/ci.txt
# -r requirements/ci.txt
# open-api-framework
django-debug-toolbar==4.4.6
# via -r requirements/dev.in
django-extensions==3.2.3
Expand Down Expand Up @@ -556,7 +562,7 @@ notifications-api-common==0.2.2
# -c requirements/ci.txt
# -r requirements/ci.txt
# commonground-api-common
open-api-framework==0.7.1
open-api-framework==0.8.0
# via
# -c requirements/ci.txt
# -r requirements/ci.txt
Expand Down
Loading