Add various HTTP headers to improve security #643
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #643 +/- ##
=======================================
Coverage 94.18% 94.18%
=======================================
Files 80 80
Lines 3251 3251
=======================================
Hits 3062 3062
Misses 189 189 ☔ View full report in Codecov by Sentry. |
| ] | ||
| CSP_REPORT_URI = [ | ||
| "https://csp-report.browser-intake-datadoghq.com/api/v2/logs" | ||
| "?dd-api-key=pubca00a94e49167539d2e291bea2b0f20f&dd-evp-origin=content-security-policy" |
There was a problem hiding this comment.
Is this naughty? We give it out for free to anyone who hits the site so having it in code seems fine?
There was a problem hiding this comment.
Verify correct type and limited access
There was a problem hiding this comment.
This is definitely a client token, from the docs we are definitely using it correctly:
For security reasons, API keys cannot be used to send data from a browser, mobile, or TV app, as they would be exposed client-side. Instead, end user facing applications use client tokens to send data to Datadog.
I can't find any knobs to turn for the permissions on the token, and nothing is mentioned in the docs about this. I think client tokens are inherently limited to only specific things (probably to prevent footguns)
Improve our security by following the HTTP header recommendations from the following resources:
Setting
X-Forwarded-Protoalso fixes a bug which caused a mixed content error on the changes from #636, since it fixes the value Django uses forrequest.scheme(currently set tohttpin prod due to the reverse proxy)