Make sure djangosaml2 works in csp-enabled applications too (fix #391) #392
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Introduction | ||
| ============ | ||
|
|
||
| Authentication and Authorization are quite security relevant topics on its own. | ||
| Make sure you understand SAML2 and its implications, specifically the | ||
| separation of duties between Service Provider (SP) and Identity Provider (IdP): | ||
| this library aims to support a Service Provider in getting authenticated with | ||
| with one or more Identity Provider. | ||
|
|
||
| Communication between SP and IdP is routed via the Browser, eliminating the | ||
| need for direct communication between SP and IdP. However, for security the use | ||
| of cryptographic signatures (both while sending and receiving messages) must be | ||
| examined and the private keys in use must be kept closely guarded. | ||
|
|
||
| Content Security Policy | ||
| ======================= | ||
|
|
||
| When using POST-Bindings, the Browser is presented with a small HTML-Form for | ||
| every redirect (both Login and Logout), which is sent using JavaScript and | ||
| sends the Data to the selected IdP. If your application uses technices such as | ||
| Content Security Policy, this might affect the calls. Since Version 1.9.0 | ||
| djangosaml2 will detect if django-csp is installed and update the Content | ||
| Security Policy accordingly. | ||
|
|
||
| [Content Security Policy](https://content-security-policy.com/) is an important | ||
| HTTP-Extension to prevent User Input or other harmful sources from manipulating | ||
| application data. Usage is strongly advised, see | ||
| [OWASP Control](https://owasp.org/www-community/controls/Content_Security_Policy). | ||
|
|
||
| To enable CSP with [django-csp](https://django-csp.readthedocs.io/), simply | ||
| follow their [installation](https://django-csp.readthedocs.io/en/latest/installation.html) | ||
| and [configuration](https://django-csp.readthedocs.io/en/latest/configuration.html) | ||
| guides: djangosaml2 will automatically blend in and update the headers for | ||
| POST-bindings, so you must not include exceptions for djangosaml2 in your | ||
| global configuration. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -41,3 +41,9 @@ under the `Apache 2.0 <https://en.wikipedia.org/wiki/Apache_License>`_. | |
| :caption: FAQ | ||
|
|
||
| contents/faq.md | ||
|
|
||
| .. toctree:: | ||
| :maxdepth: 2 | ||
| :caption: Security considerations | ||
|
|
||
| contents/security.md | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -27,7 +27,7 @@ def read(*rnames): | |
|
|
||
| setup( | ||
| name="djangosaml2", | ||
| version="1.9.0", | ||
| description="pysaml2 integration for Django", | ||
| long_description=read("README.md"), | ||
| long_description_content_type="text/markdown", | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add a
logger.warninghere. It would be appreciated to make aware the deployers that they may haev security risks (if CSP is not configured at least in the httpd)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I polished up the security page and added a warning, please check if I am missing important information :)