Skip to content

Security hardening#49

Merged
anderstorstensson merged 3 commits intonextfrom
security-hardening
Feb 6, 2026
Merged

Security hardening#49
anderstorstensson merged 3 commits intonextfrom
security-hardening

Conversation

@anderstorstensson
Copy link
Member

@anderstorstensson anderstorstensson commented Feb 6, 2026

  • Hide is_superuser field from non-superuser staff in admin user form
  • Harden cookie and transport security settings for production (HTTPS-only cookies, HSTS, SSL redirect), disabled in DEBUG mode
  • Add login rate limiting via django-axes (5 failed attempts → 1 hour IP lockout)
  • Validate syncdb log file IDs against expected format for defense-in-depth

@anderstorstensson
fix: harden security settings and add login rate limiting
a01c7b7 
- Add secure cookie settings (SESSION_COOKIE_SECURE, CSRF_COOKIE_SECURE,
  SESSION_COOKIE_HTTPONLY) and HTTPS enforcement, gated on DEBUG=False
- Add django-axes for admin login brute-force protection (5 attempts,
  1 hour cooloff per IP)
- Validate syncdb log_id format in get_log_file for defense-in-depth

Note: requires `python manage.py migrate` to create axes tables.
@anderstorstensson
fix: hide is_superuser field from non-superuser staff in admin
da74980 
Non-superuser managers with user change permission could previously
grant superuser access via the admin user form. The is_superuser
field is now only visible to superusers.
@anderstorstensson
ruff format
f2cecfa
@anderstorstensson anderstorstensson merged commit d9c0821 into next Feb 6, 2026
4 checks passed
@anderstorstensson anderstorstensson deleted the security-hardening branch February 6, 2026 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anderstorstensson