-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmiddleware.py
86 lines (63 loc) · 2.71 KB
/
middleware.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
"""
A pipeline is a series of middlewares that process a request and response in a sequential manner.
Middleware allows you to alter the processing of requests and responses.
"""
from rest_framework.authentication import TokenAuthentication
import json
from my_apps.users.models import AuditLog
from django.urls import reverse
class AuditLogMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
user = request.user
if not user:
try:
user, token = TokenAuthentication().authenticate(request)
except Exception:
pass
# audit
user = user if user.id else None
method = request.method
path = request.path
params = json.dumps(dict(request.GET))
if self.is_valid_path(path):
obj = {"user": user, "method": method, "path": path, "params": params}
AuditLog.objects.create(**obj)
response = self.get_response(request)
return response
@staticmethod
def is_valid_path(path: str):
is_valid = True
ignored_names = ["home_redirect", "login_redirect"]
for name in ignored_names:
if path == reverse(name):
is_valid = False
break
if "__debug__" in path:
is_valid = False
return is_valid
class SecurityHeadersMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
# Informs browsers that the site should only be accessed using HTTPS for a specified period of time.
response["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
# It prevents MIME-sniffing attacks.
response["X-Content-Type-Options"] = "nosniff"
# It prevents a web page from being displayed within an iframe, embed, ...
response["X-Frame-Options"] = "DENY"
# It helps detect and block certain types of XSS attacks.
response["X-XSS-Protection"] = "1; mode=block"
# It controls how much referrer information should be included with requests.
response["Referrer-Policy"] = "same-origin"
# Web developers can explicitly declare what functionality can and cannot be used on a website.
response["Feature-Policy"] = (
"camera 'self'; microphone 'self'; fullscreen 'self' 'allowfullscreen'"
)
response["Permissions-Policy"] = (
"camera=(self), microphone=(self), geolocation=(), accelerometer=(), "
"gyroscope=(), magnetometer=(), payment=(), fullscreen=(self)"
)
return response