feat: add cors, csrf and session configuration

basedosdados · Apr 4, 2024 · 269ee5e · 269ee5e
1 parent aa11508
commit 269ee5e
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 3 deletions.
diff --git a/.github/workflows/deploy-dev.yaml b/.github/workflows/deploy-dev.yaml
@@ -97,6 +97,12 @@ jobs:
  value: "https://development.basedosdados.org"
  - name: "BASE_URL_API"
  value: "https://development.api.basedosdados.org"
+ - name: "CSRF_COOKIE_DOMAIN"
+ value: "${{ secrets.CSRF_COOKIE_DOMAIN }}"
+ - name: "CSRF_TRUSTED_ORIGIN"
+ value: "${{ secrets.CSRF_TRUSTED_ORIGIN }}"
+ - name: "SESSION_COOKIE_DOMAIN"
+ value: "${{ secrets.SESSION_COOKIE_DOMAIN }}"
  - name: "LOGGER_LEVEL"
  value: "${{ secrets.LOGGER_LEVEL }}"
  - name: "LOGGER_IGNORE"

diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml
@@ -66,6 +66,12 @@ jobs:
  value: "https://basedosdados.org"
  - name: "BASE_URL_API"
  value: "https://api.basedosdados.org"
+ - name: "CSRF_COOKIE_DOMAIN"
+ value: "${{ secrets.CSRF_COOKIE_DOMAIN }}"
+ - name: "CSRF_TRUSTED_ORIGIN"
+ value: "${{ secrets.CSRF_TRUSTED_ORIGIN }}"
+ - name: "SESSION_COOKIE_DOMAIN"
+ value: "${{ secrets.SESSION_COOKIE_DOMAIN }}"
  - name: "LOGGER_LEVEL"
  value: "${{ secrets.LOGGER_LEVEL }}"
  - name: "LOGGER_IGNORE"

diff --git a/.github/workflows/deploy-staging.yaml b/.github/workflows/deploy-staging.yaml
@@ -66,6 +66,12 @@ jobs:
  value: "https://staging.basedosdados.org"
  - name: "BASE_URL_API"
  value: "https://staging.api.basedosdados.org"
+ - name: "CSRF_COOKIE_DOMAIN"
+ value: "${{ secrets.CSRF_COOKIE_DOMAIN }}"
+ - name: "CSRF_TRUSTED_ORIGIN"
+ value: "${{ secrets.CSRF_TRUSTED_ORIGIN }}"
+ - name: "SESSION_COOKIE_DOMAIN"
+ value: "${{ secrets.SESSION_COOKIE_DOMAIN }}"
  - name: "LOGGER_LEVEL"
  value: "${{ secrets.LOGGER_LEVEL }}"
  - name: "LOGGER_IGNORE"

diff --git a/bd_api/settings/base.py b/bd_api/settings/base.py
@@ -31,7 +31,12 @@
 
 ALLOWED_HOSTS = ["*"]
 CORS_ORIGIN_ALLOW_ALL = True
-
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_DOMAIN = getenv("CSRF_COOKIE_DOMAIN")
+CSRF_TRUSTED_ORIGINS = [getenv("CSRF_TRUSTED_ORIGIN")]
+SESSION_COOKIE_AGE = 60 * 60 * 60
+SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_DOMAIN = getenv("SESSION_COOKIE_DOMAIN")
 
 # Application definition
 
@@ -271,8 +276,6 @@
  "actions_sticky_top": True,
 }
 
-CSRF_COOKIE_HTTPONLY = False
-
 DATA_UPLOAD_MAX_NUMBER_FIELDS = 20000
 
 HUEY = {