Commits

Erik Romijn committed 49b5e0c

disable csrf, fix non-hsts

Comments (0)

Files changed (3)

ponycheckup/check/checker.py

             ssltest = self.opener.open(url.replace("http", "https"), None, 7)
         except:
             return False
-        return ssltest.info().get('Strict-Transport-Security')
+        return True if ssltest.info().get('Strict-Transport-Security') else False
 
 
     def check_runs_debug(self, url):

ponycheckup/check/models.py

         if self.admin_found and not self.admin_forces_https: self.no_of_recommendations += 1
         if self.login_found and not self.login_forces_https: self.no_of_recommendations += 1
         if self.allows_trace:                                self.no_of_recommendations += 1
-        if not self.csrf_cookie_found:                       self.no_of_recommendations += 1
+        #if not self.csrf_cookie_found:                       self.no_of_recommendations += 1
         if self.session_cookie_found and not self.session_cookie_secure:   self.no_of_recommendations += 1
         if self.session_cookie_found and not self.session_cookie_httponly: self.no_of_recommendations += 1
 
     @property
     def secure_percentage(self):
         # worst is 10, best is 0
-        return int(100-round(10*self.no_of_recommendations))
+        return int(100-round(9*self.no_of_recommendations))
 
 
     @property
     def proven_django(self):
-        return self.runs_debug or self.csrf_cookie_found or self.session_cookie_found or self.admin_found
+        return self.runs_debug or self.csrf_cookie_found or self.session_cookie_found or self.admin_found

ponycheckup/check/templates/check/result.html

         </div>
 
         <div class="well">
-            <h3>CSRF protection</h3>
-            {% if check_record.csrf_cookie_found %}
-                <div class="alert alert-success">
-                    <h4 class="alert-heading"><i class="icon-ok"></i> Django CSRF protection found</h4>
-                    We found a <em>csrftoken</em> cookie, which means the Django CSRF protection is enabled.
-                    Note that this is not a full test - it could be that some or many views still have CSRF protection
-                    layer disabled.
-                </div>
-            {% else %}
-                <div class="alert alert-error">
-                    <h4 class="alert-heading"><i class="icon-remove"></i> Django CSRF protection not found</h4>
-                    We could not find the Django CSRF cookie, <em>csrftoken</em>. This probably means you did not
-                    enable Django's CSRF protection. This could be a false positive if you have changed the name
-                    of your CSRF cookie, using the <em>CSRF_COOKIE_NAME</em> setting. If you really don't have
-                    any forms using POST on your website, this is probably not a concern.
-                </div>
-            {% endif %}
-            <p>Cross site request forging (CSRF) is an attack where a user is tricked into submitting data or performing
-                some other action on another website, without their knowledge or consent. Django comes with
-                easy-to-use <a href="https://docs.djangoproject.com/en/dev/ref/contrib/csrf/">CSRF protection</a>.
-                This will automatically protect all POST requests from CSRF.</p>
-        </div>
-
-        <div class="well">
             <h3>Clickjacking protection</h3>
             {% if check_record.xframe_header_found %}
                 <div class="alert alert-success">
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.