1from plain.preflight import PreflightCheck, PreflightResult, register_check
2from plain.runtime import settings
3
4
5def _session_middleware() -> bool:
6 return "plain.sessions.middleware.SessionMiddleware" in settings.MIDDLEWARE
7
8
9def _session_app() -> bool:
10 return "plain.sessions" in settings.INSTALLED_PACKAGES
11
12
13@register_check(name="sessions.cookie_secure", deploy=True)
14class CheckSessionCookieSecure(PreflightCheck):
15 """Ensures SESSION_COOKIE_SECURE is True in production deployment."""
16
17 def run(self) -> list[PreflightResult]:
18 if settings.SESSION_COOKIE_SECURE is True:
19 return []
20
21 warnings = []
22 if _session_app():
23 warnings.append(
24 PreflightResult(
25 fix="You have 'plain.sessions' in your INSTALLED_PACKAGES, but SESSION_COOKIE_SECURE is not set to True. Set SESSION_COOKIE_SECURE=True to prevent session hijacking as using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.",
26 id="security.session_cookie_not_secure_app",
27 warning=True,
28 )
29 )
30 if _session_middleware():
31 warnings.append(
32 PreflightResult(
33 fix="You have 'plain.sessions.middleware.SessionMiddleware' in your MIDDLEWARE, but SESSION_COOKIE_SECURE is not set to True. Set SESSION_COOKIE_SECURE=True to prevent session hijacking as using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.",
34 id="security.session_cookie_not_secure_middleware",
35 warning=True,
36 )
37 )
38 if len(warnings) > 1:
39 warnings = [
40 PreflightResult(
41 fix="SESSION_COOKIE_SECURE is not set to True. Set SESSION_COOKIE_SECURE=True to prevent session hijacking as using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.",
42 id="security.session_cookie_not_secure",
43 warning=True,
44 )
45 ]
46 return warnings
47
48
49@register_check(name="sessions.cookie_httponly", deploy=True)
50class CheckSessionCookieHttpOnly(PreflightCheck):
51 """Ensures SESSION_COOKIE_HTTPONLY is True in production deployment."""
52
53 def run(self) -> list[PreflightResult]:
54 if settings.SESSION_COOKIE_HTTPONLY is True:
55 return []
56
57 warnings = []
58 if _session_app():
59 warnings.append(
60 PreflightResult(
61 fix="You have 'plain.sessions' in your INSTALLED_PACKAGES, but SESSION_COOKIE_HTTPONLY is not set to True. Set SESSION_COOKIE_HTTPONLY=True to prevent cross-site scripting attacks as using an HttpOnly session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.",
62 id="security.session_cookie_not_httponly_app",
63 warning=True,
64 )
65 )
66 if _session_middleware():
67 warnings.append(
68 PreflightResult(
69 fix="You have 'plain.sessions.middleware.SessionMiddleware' in your MIDDLEWARE, but SESSION_COOKIE_HTTPONLY is not set to True. Set SESSION_COOKIE_HTTPONLY=True to prevent cross-site scripting attacks as using an HttpOnly session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.",
70 id="security.session_cookie_not_httponly_middleware",
71 warning=True,
72 )
73 )
74 if len(warnings) > 1:
75 warnings = [
76 PreflightResult(
77 fix="SESSION_COOKIE_HTTPONLY is not set to True. Set SESSION_COOKIE_HTTPONLY=True to prevent cross-site scripting attacks as using an HttpOnly session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.",
78 id="security.session_cookie_not_httponly",
79 warning=True,
80 )
81 ]
82 return warnings