Hi again, found a few more things worth flagging!
- Session cookies not restricted to HTTPS
The portal has no secure cookie settings configured, meaning session cookies and CSRF tokens could potentially travel over plain HTTP. Since Caddy already serves everything over HTTPS there is no reason for this.
Before: not configured at all (Django defaults to insecure)
After:
# Ensure cookies are only sent over HTTPS
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_CONTENT_TYPE_NOSNIFF also prevents browsers from executing uploaded files as a different file type, which protects against a class of file upload attacks.
- Debug print statements left in idm/views.py
There are a number of debug print statements left in the login and user management views. Some of these output sensitive information like session keys, TOTP codes and POST request data to the server logs.
Examples:
print("!111")
print(request.POST.keys())
print(f"totp_challenge_{request.session.session_key}")
print("SETTING TOTP CHALLENGE")
print(_("Setting new password for user %(pk)s: %(new_password)s"))
These should be removed or replaced with proper logging at an appropriate level.
- LDAP authentication is to DEBUG level
The LDAP logger is set to DEBUG level, meaning every login attempt logs detailed information including usernames, group membership checks and LDAP queries. Might want to reprove it for production mode.
Before:
"loggers": {"django_auth_ldap": {"level": "DEBUG", "handlers": ["console"]}}
After:
"loggers": {"django_auth_ldap": {"level": "WARNING", "handlers": ["console"]}}
Kind regards