X@sddlmZddlmZmZmZddlmZdZdZ eddd Z ed dd Z ed dd Z edddZ edddZedddZedddZedied6e d6ddZedddZedddZedddZd d!Zd"d#Zeejd$d%d&d'Zeejd$d%d(d)Zeejd$d%d*d+Zeejd$d%d,d-Zeejd$d%d.d/Zeejd$d%d0d1Zeejd$d%d2d3Zeejd$d%d4d5Zeejd$d%d6d7Z eejd$d%d8d9Z!eejd$d%d:d;Z"d<S)=)settings)TagsWarningregister)patch_middleware_message2zYou do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.idz security.W001a3You do not have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, so your pages will not be served with an 'x-frame-options' header. Unless there is a good reason for your site to be served in a frame, you should consider enabling this header to help prevent clickjacking attacks.z security.W002a,You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.z security.W004aYou have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True if you are certain that all subdomains of your domain should be served exclusively via SSL.z security.W005zYour SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.z security.W006zYour SECURE_BROWSER_XSS_FILTER setting is not set to True, so your pages will not be served with an 'x-xss-protection: 1; mode=block' header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS attacks.z security.W007aYour SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.z security.W008zYour SECRET_KEY has less than %(min_length)s characters or less than %(min_unique_chars)s unique characters. Please generate a long and random SECRET_KEY, otherwise many of Django's security-critical features will be vulnerable to attack.Z min_lengthZmin_unique_charsz security.W009z4You should not have DEBUG set to True in deployment.z security.W018aYou have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.z security.W019z.ALLOWED_HOSTS must not be empty in deployment.z security.W020cCs%dtjkp$tjo$dtjkS)Nz-django.middleware.security.SecurityMiddleware)rMIDDLEWARE_CLASSES MIDDLEWAREr r N/home/ubuntu/projects/ifolica/build/django/django/core/checks/security/base.py_security_middlewareisrcCs%dtjkp$tjo$dtjkS)Nz6django.middleware.clickjacking.XFrameOptionsMiddleware)rr r r r r r_xframe_middlewarensrZdeployTcKs t}|rgSttgS)N)rrW001) app_configskwargs passed_checkr r rcheck_security_middlewaress rcKs t}|rgSttgS)N)rrW002)rrrr r rcheck_xframe_options_middlewareys rcKs$t ptj}|rgStgS)N)rrSECURE_HSTS_SECONDSW004)rrrr r r check_stssrcKs4t p tj p tjdk}|r-gStgS)NT)rrrZSECURE_HSTS_INCLUDE_SUBDOMAINSW005)rrrr r rcheck_sts_include_subdomainss  rcKs*t ptjdk}|r#gStgS)NT)rrZSECURE_CONTENT_TYPE_NOSNIFFW006)rrrr r rcheck_content_type_nosniffs rcKs*t ptjdk}|r#gStgS)NT)rrZSECURE_BROWSER_XSS_FILTERW007)rrrr r rcheck_xss_filters r cKs*t ptjdk}|r#gStgS)NT)rrZSECURE_SSL_REDIRECTW008)rrrr r rcheck_ssl_redirects r"cKsSttddo?tttjtko?ttjtk}|rLgStgS)N SECRET_KEY)getattrrlensetr# SECRET_KEY_MIN_UNIQUE_CHARACTERSSECRET_KEY_MIN_LENGTHW009)rrrr r rcheck_secret_keysr*cKstj }|rgStgS)N)rDEBUGW018)rrrr r r check_debugs r-cKs0t ptjdk}|r#gSttgS)NZDENY)rrZX_FRAME_OPTIONSrW019)rrrr r rcheck_xframe_denys r/cKstjr gStgS)N)rZ ALLOWED_HOSTSW020)rrr r rcheck_allowed_hostssr1N)#Z django.confrrrrutilsrr(r'rrrrrrr!r)r,r.r0rrsecurityrrrrrr r"r*r-r/r1r r r rsj              !!!! ! ! ! ! !!