Skip to content

security(hardening): CSP, secrets untrack, DB loopback, non-root app, OAuth log redaction, image provenance#322

Merged
vedharish merged 3 commits into
mainfrom
security/chain-remediation-infra-hardening
Jul 15, 2026
Merged

security(hardening): CSP, secrets untrack, DB loopback, non-root app, OAuth log redaction, image provenance#322
vedharish merged 3 commits into
mainfrom
security/chain-remediation-infra-hardening

Conversation

@KrishnaSuravarapu

@KrishnaSuravarapu KrishnaSuravarapu commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Single-PR remediation of the in-repo legs across the open enigma attack-chain tickets (CTO-4890…4897). Per direction, everything actionable in this repo is bundled here; rate-limiting is intentionally excludeddjango-axes (AXES_FAILURE_LIMIT=5, lockout) already covers credential-stuffing.

Chains close once all their legs are fixed; this PR advances the code/config legs and the remaining legs (below) are non-code follow-ups.

Changes by chain leg

Chain Leg fixed here File(s)
C-002 Add CSP (django-csp) + X-Frame-Options: DENY, nosniff, referrer-policy settings.py, requirements.txt
C-004 Untrack secrets/*.env (add .sample + .gitignore); bind MySQL & Redis to 127.0.0.1 docker-compose.yml, .gitignore, secrets/
C-001 / C-003 app user gets its own group (not gid 0/root); log file no longer world-writable (chmod 640) Dockerfile
C-005 Attach SLSA provenance + SBOM to the pushed image (Actions were already SHA-pinned) docker-push.yml
C-008 Remove social_core.pipeline.debug.debug (logs OAuth tokens/PII); lower app log level DEBUG → INFO; AXES_ONLY_USER_FAILURES=False so lockout is username+IP not username-only — this is C-008's chain-breaker F-032 (CTO-4880), so C-008 (CTO-4897) closes on merge settings.py

⚠️ Reviewer notes / must-verify

  • CSP not render-tested in this environment. 'unsafe-inline' is retained for script/style (16 templates still ship inline <script>), and a CDN allowlist (code.jquery.com, use.fontawesome.com, fonts.googleapis.com/gstatic, cdn.jsdelivr.net) is included. Smoke-test the ops pages render before relying on it; tighten to nonces + drop 'unsafe-inline' as follow-up.
  • django-csp==3.8 pinned (uses the classic CSP_* settings, Django 4.2-compatible).

Explicitly NOT in this PR (cannot be code)

🤖 Generated with Claude Code

KrishnaSuravarapu and others added 3 commits July 15, 2026 12:51
…k, non-root app, OAuth log redaction, image provenance

Addresses the in-repo legs of the open attack-chain tickets in one change
(rate-limiting excluded - django-axes already enforces login lockout).

- C-002: add django-csp CSPMiddleware + CSP policy, X-Frame-Options DENY,
  nosniff, referrer-policy (settings.py, requirements.txt)
- C-004: untrack secrets/*.env (add .sample templates + .gitignore); bind
  MySQL and Redis to 127.0.0.1 so the DB is not network-reachable
- C-001/C-003: app user gets its own group (not gid 0) and log file is no
  longer world-writable (Dockerfile)
- C-005: attach SLSA provenance + SBOM to the pushed image (actions already
  SHA-pinned)
- C-008: drop social_core.pipeline.debug.debug (logs OAuth tokens/PII) and
  lower app log level DEBUG -> INFO

Not in this PR (cannot be code): rotating the previously-committed secrets
(ops runbook), production bind-mount removal (deploy manifests repo), the
F-022 self-approval IDOR decision, and a password-history validator.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
AXES_ONLY_USER_FAILURES=False so failed-login lockout factors in the
source IP, closing the IP-based brute-force / credential-stuffing gap
(chain C-008 chain-breaker F-032, CTO-4880 / CTO-4897).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
accept_bulk was only @login_required, so any logged-in non-approver could
reach the bulk-approval endpoint (rejected only in the helpers). Add
@user_any_approver — matching sibling views pending_requests/decline_access —
so non-approvers are denied at the view layer. isAnApprover() checks for ANY
approver permission (getPossibleApproverPermissions), so module-specific
approvers are unaffected; per-request approver/self-approval checks in the
helpers are unchanged. Chain-breaker for C-007 (CTO-4896 / CTO-4869).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vedharish vedharish merged commit 6744335 into main Jul 15, 2026
8 checks passed
@vedharish vedharish deleted the security/chain-remediation-infra-hardening branch July 15, 2026 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants