django
diff --git a/‎django/conf/global_settings.py
+11 b/‎django/conf/global_settings.py
+11
diff --git a/‎django/conf/project_template/project_name/settings.py
+1 b/‎django/conf/project_template/project_name/settings.py
+1
diff --git a/‎django/core/checks/__init__.py
+3 b/‎django/core/checks/__init__.py
+3
diff --git a/‎django/core/checks/registry.py
+22-10 b/‎django/core/checks/registry.py
+22-10
diff --git a/‎django/core/checks/security/__init__.py b/‎django/core/checks/security/__init__.py
diff --git a/‎django/core/checks/security/base.py
+185 b/‎django/core/checks/security/base.py
+185
diff --git a/‎django/core/checks/security/csrf.py
+57 b/‎django/core/checks/security/csrf.py
+57
@@ -631,3 +631,14 @@
 # serious issues like errors and criticals does not result in hiding the
 # message, but Django will not stop you from e.g. running server.
 SILENCED_SYSTEM_CHECKS = []
+
+#######################
+# SECURITY MIDDLEWARE #
+#######################
+SECURE_BROWSER_XSS_FILTER = False
+SECURE_CONTENT_TYPE_NOSNIFF = False
+SECURE_HSTS_INCLUDE_SUBDOMAINS = False
+SECURE_HSTS_SECONDS = 0
+SECURE_REDIRECT_EXEMPT = []
+SECURE_SSL_HOST = None
+SECURE_SSL_REDIRECT = False
@@ -46,6 +46,7 @@
     'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
 )
 
 ROOT_URLCONF = '{{ project_name }}.urls'
 
@@ -10,6 +10,9 @@
 import django.core.checks.compatibility.django_1_6_0  # NOQA
 import django.core.checks.compatibility.django_1_7_0  # NOQA
 import django.core.checks.model_checks  # NOQA
+import django.core.checks.security.base  # NOQA
+import django.core.checks.security.csrf  # NOQA
+import django.core.checks.security.sessions  # NOQA
 
 __all__ = [
     'CheckMessage',
 
@@ -13,15 +13,17 @@ class Tags(object):
     admin = 'admin'
     compatibility = 'compatibility'
     models = 'models'
+    security = 'security'
     signals = 'signals'
 
 
 class CheckRegistry(object):
 
     def __init__(self):
         self.registered_checks = []
+        self.deployment_checks = []
 
-    def register(self, *tags):
+    def register(self, *tags, **kwargs):
         """
         Decorator. Register given function `f` labeled with given `tags`. The
         function should receive **kwargs and return list of Errors and
@@ -36,24 +38,28 @@ def my_check(apps, **kwargs):
                 return errors
 
         """
+        kwargs.setdefault('deploy', False)
 
         def inner(check):
             check.tags = tags
-            if check not in self.registered_checks:
+            if kwargs['deploy']:
+                if check not in self.deployment_checks:
+                    self.deployment_checks.append(check)
+            elif check not in self.registered_checks:
                 self.registered_checks.append(check)
             return check
 
         return inner
 
-    def run_checks(self, app_configs=None, tags=None):
+    def run_checks(self, app_configs=None, tags=None, include_deployment_checks=False):
         """ Run all registered checks and return list of Errors and Warnings.
         """
         errors = []
+        checks = self.get_checks(include_deployment_checks)
+
         if tags is not None:
-            checks = [check for check in self.registered_checks
+            checks = [check for check in checks
                       if hasattr(check, 'tags') and set(check.tags) & set(tags)]
-        else:
-            checks = self.registered_checks
 
         for check in checks:
             new_errors = check(app_configs=app_configs)
@@ -63,11 +69,17 @@ def run_checks(self, app_configs=None, tags=None):
             errors.extend(new_errors)
         return errors
 
-    def tag_exists(self, tag):
-        return tag in self.tags_available()
+    def tag_exists(self, tag, include_deployment_checks=False):
+        return tag in self.tags_available(include_deployment_checks)
+
+    def tags_available(self, deployment_checks=False):
+        return set(chain(*[check.tags for check in self.get_checks(deployment_checks) if hasattr(check, 'tags')]))
 
-    def tags_available(self):
-        return set(chain(*[check.tags for check in self.registered_checks if hasattr(check, 'tags')]))
+    def get_checks(self, include_deployment_checks=False):
+        checks = list(self.registered_checks)
+        if include_deployment_checks:
+            checks.extend(self.deployment_checks)
+        return checks
 
 
 registry = CheckRegistry()
 
@@ -0,0 +1,185 @@
+from django.conf import settings
+
+from .. import register, Tags, Warning
+
+
+SECRET_KEY_MIN_LENGTH = 50
+SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5
+
+W001 = Warning(
+    "You do not have 'django.middleware.security.SecurityMiddleware' "
+    "in your MIDDLEWARE_CLASSES so the SECURE_HSTS_SECONDS, "
+    "SECURE_CONTENT_TYPE_NOSNIFF, "
+    "SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings "
+    "will have no effect.",
+    id='security.W001',
+)
+
+W002 = Warning(
+    "You do not have "
+    "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
+    "MIDDLEWARE_CLASSES, so your pages will not be served with an "
+    "'x-frame-options' header. Unless there is a good reason for your "
+    "site to be served in a frame, you should consider enabling this "
+    "header to help prevent clickjacking attacks.",
+    id='security.W002',
+)
+
+W004 = Warning(
+    "You have not set a value for the SECURE_HSTS_SECONDS setting. "
+    "If your entire site is served only over SSL, you may want to consider "
+    "setting a value and enabling HTTP Strict Transport Security. "
+    "Be sure to read the documentation first; enabling HSTS carelessly "
+    "can cause serious, irreversible problems.",
+    id='security.W004',
+)
+
+W005 = Warning(
+    "You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. "
+    "Without this, your site is potentially vulnerable to attack "
+    "via an insecure connection to a subdomain. Only set this to True if "
+    "you are certain that all subdomains of your domain should be served "
+    "exclusively via SSL.",
+    id='security.W005',
+)
+
+W006 = Warning(
+    "Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "
+    "so your pages will not be served with an "
+    "'x-content-type-options: nosniff' header. "
+    "You should consider enabling this header to prevent the "
+    "browser from identifying content types incorrectly.",
+    id='security.W006',
+)
+
+W007 = Warning(
+    "Your SECURE_BROWSER_XSS_FILTER setting is not set to True, "
+    "so your pages will not be served with an "
+    "'x-xss-protection: 1; mode=block' header. "
+    "You should consider enabling this header to activate the "
+    "browser's XSS filtering and help prevent XSS attacks.",
+    id='security.W007',
+)
+
+W008 = Warning(
+    "Your SECURE_SSL_REDIRECT setting is not set to True. "
+    "Unless your site should be available over both SSL and non-SSL "
+    "connections, you may want to either set this setting True "
+    "or configure a load balancer or reverse-proxy server "
+    "to redirect all connections to HTTPS.",
+    id='security.W008',
+)
+
+W009 = Warning(
+    "Your SECRET_KEY has less than %(min_length)s characters or less than "
+    "%(min_unique_chars)s unique characters. Please generate a long and random "
+    "SECRET_KEY, otherwise many of Django's security-critical features will be "
+    "vulnerable to attack." % {
+        'min_length': SECRET_KEY_MIN_LENGTH,
+        'min_unique_chars': SECRET_KEY_MIN_UNIQUE_CHARACTERS,
+    },
+    id='security.W009',
+)
+
+W018 = Warning(
+    "You should not have DEBUG set to True in deployment.",
+    id='security.W018',
+)
+
+W019 = Warning(
+    "You have "
+    "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
+    "MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. "
+    "The default is 'SAMEORIGIN', but unless there is a good reason for "
+    "your site to serve other parts of itself in a frame, you should "
+    "change it to 'DENY'.",
+    id='security.W019',
+)
+
+
+def _security_middleware():
+    return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES
+
+
+def _xframe_middleware():
+    return "django.middleware.clickjacking.XFrameOptionsMiddleware" in settings.MIDDLEWARE_CLASSES
+
+
+@register(Tags.security, deploy=True)
+def check_security_middleware(app_configs, **kwargs):
+    passed_check = _security_middleware()
+    return [] if passed_check else [W001]
+
+
+@register(Tags.security, deploy=True)
+def check_xframe_options_middleware(app_configs, **kwargs):
+    passed_check = _xframe_middleware()
+    return [] if passed_check else [W002]
+
+
+@register(Tags.security, deploy=True)
+def check_sts(app_configs, **kwargs):
+    passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS
+    return [] if passed_check else [W004]
+
+
+@register(Tags.security, deploy=True)
+def check_sts_include_subdomains(app_configs, **kwargs):
+    passed_check = (
+        not _security_middleware() or
+        not settings.SECURE_HSTS_SECONDS or
+        settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True
+    )
+    return [] if passed_check else [W005]
+
+
+@register(Tags.security, deploy=True)
+def check_content_type_nosniff(app_configs, **kwargs):
+    passed_check = (
+        not _security_middleware() or
+        settings.SECURE_CONTENT_TYPE_NOSNIFF is True
+    )
+    return [] if passed_check else [W006]
+
+
+@register(Tags.security, deploy=True)
+def check_xss_filter(app_configs, **kwargs):
+    passed_check = (
+        not _security_middleware() or
+        settings.SECURE_BROWSER_XSS_FILTER is True
+    )
+    return [] if passed_check else [W007]
+
+
+@register(Tags.security, deploy=True)
+def check_ssl_redirect(app_configs, **kwargs):
+    passed_check = (
+        not _security_middleware() or
+        settings.SECURE_SSL_REDIRECT is True
+    )
+    return [] if passed_check else [W008]
+
+
+@register(Tags.security, deploy=True)
+def check_secret_key(app_configs, **kwargs):
+    passed_check = (
+        getattr(settings, 'SECRET_KEY', None) and
+        len(set(settings.SECRET_KEY)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS and
+        len(settings.SECRET_KEY) >= SECRET_KEY_MIN_LENGTH
+    )
+    return [] if passed_check else [W009]
+
+
+@register(Tags.security, deploy=True)
+def check_debug(app_configs, **kwargs):
+    passed_check = not settings.DEBUG
+    return [] if passed_check else [W018]
+
+
+@register(Tags.security, deploy=True)
+def check_xframe_deny(app_configs, **kwargs):
+    passed_check = (
+        not _xframe_middleware() or
+        settings.X_FRAME_OPTIONS == 'DENY'
+    )
+    return [] if passed_check else [W019]
@@ -0,0 +1,57 @@
+from django.conf import settings
+
+from .. import register, Tags, Warning
+
+
+W003 = Warning(
+    "You don't appear to be using Django's built-in "
+    "cross-site request forgery protection via the middleware "
+    "('django.middleware.csrf.CsrfViewMiddleware' is not in your "
+    "MIDDLEWARE_CLASSES). Enabling the middleware is the safest approach "
+    "to ensure you don't leave any holes.",
+    id='security.W003',
+)
+
+W016 = Warning(
+    "You have 'django.middleware.csrf.CsrfViewMiddleware' in your "
+    "MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. "
+    "Using a secure-only CSRF cookie makes it more difficult for network "
+    "traffic sniffers to steal the CSRF token.",
+    id='security.W016',
+)
+
+W017 = Warning(
+    "You have 'django.middleware.csrf.CsrfViewMiddleware' in your "
+    "MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_HTTPONLY to True. "
+    "Using an HttpOnly CSRF cookie makes it more difficult for cross-site "
+    "scripting attacks to steal the CSRF token.",
+    id='security.W017',
+)
+
+
+def _csrf_middleware():
+    return "django.middleware.csrf.CsrfViewMiddleware" in settings.MIDDLEWARE_CLASSES
+
+
+@register(Tags.security, deploy=True)
+def check_csrf_middleware(app_configs, **kwargs):
+    passed_check = _csrf_middleware()
+    return [] if passed_check else [W003]
+
+
+@register(Tags.security, deploy=True)
+def check_csrf_cookie_secure(app_configs, **kwargs):
+    passed_check = (
+        not _csrf_middleware() or
+        settings.CSRF_COOKIE_SECURE
+    )
+    return [] if passed_check else [W016]
+
+
+@register(Tags.security, deploy=True)
+def check_csrf_cookie_httponly(app_configs, **kwargs):
+    passed_check = (
+        not _csrf_middleware() or
+        settings.CSRF_COOKIE_HTTPONLY
+    )
+    return [] if passed_check else [W017]
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@`
`46`	`46`	`'django.contrib.auth.middleware.SessionAuthenticationMiddleware',`
`47`	`47`	`'django.contrib.messages.middleware.MessageMiddleware',`
`48`	`48`	`'django.middleware.clickjacking.XFrameOptionsMiddleware',`
	`49`	`+ 'django.middleware.security.SecurityMiddleware',`
`49`	`50`	`)`
`50`	`51`
`51`	`52`	`ROOT_URLCONF = '{{ project_name }}.urls'`