I'm trying to configure my site to pass the tests at:
I've been looking at this blog post. I'm using the Django app called django-csp to implement this. My Django settings in production are as follows:
# Content Security Policy
CSP_DEFAULT_SRC = ("'none'", )
CSP_STYLE_SRC = ("'self'", "fonts.googleapis.com", "'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI='")
CSP_SCRIPT_SRC = ("'self'", )
CSP_IMG_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'", "fonts.gstatic.com")
CSP_CONNECT_SRC = ("'self'", )
CSP_OBJECT_SRC = ("'none'", )
CSP_BASE_URI = ("'none'", )
CSP_FRAME_ANCESTORS = ("'self'", 'https://example.com/', 'https://example.com/')
CSP_FORM_ACTION = ("'self'", )
CSP_INCLUDE_NONCE_IN = ('script-src',)
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_SSL_REDIRECT = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 60
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
Yet, when I run the aforementioned tests I fail even though I have the above setup. Moreover, in Chrome dev tools I receive no errors, which is great.
Anyone have advice on this please? Thanks
Update:
I'm deploying the app via Heroku. When I test the appname.herokuapp.com url with Mozilla Observatory, I pass all the tests.
It seems that when I forward the domain appname.herokuapp.com to mywebsite.com, some settings are skipped? I failed the tests with mywebsite.com
I have added the CNAME www to be the value of the custom Heroku DNS.
