o 3a@s8ddlmZddlmZddlmZmZmZmZhdZ dZ dZ dZ ed d d Z ed d d Zeddd Zeddd Zeddd Zeddd Zede e e ddd Zeddd Zeddd Zeddd Zedd d Zed!d"d Zed#d$d%ee d&d'Zed(d)d Zd*d+Zd,d-Zeej d.d/d0d1Z!eej d.d/d2d3Z"eej d.d/d4d5Z#eej d.d/d6d7Z$eej d.d/d8d9Z%eej d.d/d:d;Z&eej d.d/dd?Z(eej d.d/d@dAZ)eej d.d/dBdCZ*eej d.d/dDdEZ+eej d.d/dFdGZ,eej dHdIZ-dJS)K)settings)ImproperlyConfigured)ErrorTagsWarningregister> unsafe-url no-referrer same-origin strict-originorigin-when-cross-originno-referrer-when-downgradestrict-origin-when-cross-originoriginzdjango-insecure-2zYou do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, SECURE_REFERRER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect.z security.W001)ida3You do not have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, so your pages will not be served with an 'x-frame-options' header. Unless there is a good reason for your site to be served in a frame, you should consider enabling this header to help prevent clickjacking attacks.z security.W002a,You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.z security.W004aYou have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True if you are certain that all subdomains of your domain should be served exclusively via SSL.z security.W005zYour SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'X-Content-Type-Options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.z security.W006aYour SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.z security.W008aRYour SECRET_KEY has less than %(min_length)s characters, less than %(min_unique_chars)s unique characters, or it's prefixed with '%(insecure_prefix)s' indicating that it was generated automatically by Django. Please generate a long and random SECRET_KEY, otherwise many of Django's security-critical features will be vulnerable to attack.) min_lengthmin_unique_charsinsecure_prefixz security.W009z4You should not have DEBUG set to True in deployment.z security.W018zYou have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. Unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.z security.W019z.ALLOWED_HOSTS must not be empty in deployment.z security.W020zYou have not set the SECURE_HSTS_PRELOAD setting to True. Without this, your site cannot be submitted to the browser preload list.z security.W021zYou have not set the SECURE_REFERRER_POLICY setting. Without this, your site will not send a Referrer-Policy header. You should consider enabling this header to protect user privacy.z security.W022zDYou have set the SECURE_REFERRER_POLICY setting to an invalid value.zValid values are: {}.z, z security.E023)hintrz5DEFAULT_HASHING_ALGORITHM must be 'sha1' or 'sha256'.z security.E100cC dtjvS)Nz-django.middleware.security.SecurityMiddlewarer MIDDLEWARErrB/usr/lib/python3/dist-packages/django/core/checks/security/base.py_security_middleware rcCr)Nz6django.middleware.clickjacking.XFrameOptionsMiddlewarerrrrr_xframe_middlewarerrT)deploycKt}|rgStgSN)rW001 app_configskwargs passed_checkrrrcheck_security_middlewarer(cKr!r")rW002r$rrrcheck_xframe_options_middlewarer)r+cKst ptj}|r gStgSr")rrSECURE_HSTS_SECONDSW004r$rrr check_stssr.cK(t p tj p tjdu}|rgStgSNT)rrr,SECURE_HSTS_INCLUDE_SUBDOMAINSW005r$rrrcheck_sts_include_subdomains r3cKr/r0)rrr,SECURE_HSTS_PRELOADW021r$rrrcheck_sts_preloadr4r7cK t ptjdu}|r gStgSr0)rrSECURE_CONTENT_TYPE_NOSNIFFW006r$rrrcheck_content_type_nosniffr;cKr8r0)rrSECURE_SSL_REDIRECTW008r$rrrcheck_ssl_redirectr<r?c Ks\ztj}Wn ttfyd}Ynwtt|tko&t|tko&|t  }|r+gSt gS)NF) r SECRET_KEYrAttributeErrorlenset SECRET_KEY_MIN_UNIQUE_CHARACTERSSECRET_KEY_MIN_LENGTH startswithSECRET_KEY_INSECURE_PREFIXW009)r%r& secret_keyr'rrrcheck_secret_keys   rJcKstj }|rgStgSr")rDEBUGW018r$rrr check_debugsrMcKs t ptjdk}|r gStgS)NDENY)rrX_FRAME_OPTIONSW019r$rrrcheck_xframe_denyr<rQcKstjrgStgSr")r ALLOWED_HOSTSW020r%r&rrrcheck_allowed_hostssrUcKsVtr)tjdur tgSttjtrddtjdD}nttj}|tks)t gSgS)NcSsh|]}|qSr)strip).0vrrr sz(check_referrer_policy..,) rrSECURE_REFERRER_POLICYW022 isinstancestrsplitrCREFERRER_POLICY_VALUESE023)r%r&valuesrrrcheck_referrer_policys   rccKstjdvrtgSgS)N>sha1sha256)rDEFAULT_HASHING_ALGORITHME100rTrrrcheck_default_hashing_algorithms rhN). django.confrdjango.core.exceptionsrrrrrr`rGrErDr#r*r-r2r:r>rHrLrPrSr6r\formatjoinsortedrargrrsecurityr(r+r.r3r7r;r?rJrMrQrUrcrhrrrrs