-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add various HTTP headers to improve security #643
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #643 +/- ##
=======================================
Coverage 94.18% 94.18%
=======================================
Files 80 80
Lines 3251 3251
=======================================
Hits 3062 3062
Misses 189 189 ☔ View full report in Codecov by Sentry. |
] | ||
CSP_REPORT_URI = [ | ||
"https://csp-report.browser-intake-datadoghq.com/api/v2/logs" | ||
"?dd-api-key=pubca00a94e49167539d2e291bea2b0f20f&dd-evp-origin=content-security-policy" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this naughty? We give it out for free to anyone who hits the site so having it in code seems fine?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verify correct type and limited access
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is definitely a client token, from the docs we are definitely using it correctly:
For security reasons, API keys cannot be used to send data from a browser, mobile, or TV app, as they would be exposed client-side. Instead, end user facing applications use client tokens to send data to Datadog.
I can't find any knobs to turn for the permissions on the token, and nothing is mentioned in the docs about this. I think client tokens are inherently limited to only specific things (probably to prevent footguns)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great stuff. Thank you for doing this!
Improve our security by following the HTTP header recommendations from the following resources:
Setting
X-Forwarded-Proto
also fixes a bug which caused a mixed content error on the changes from #636, since it fixes the value Django uses forrequest.scheme
(currently set tohttp
in prod due to the reverse proxy)