Opened 12 years ago

Closed 9 years ago

#17101 closed New feature (fixed)

Add --deploy option to check management command

Reported by: Carl Meyer Owned by: Tim Graham
Component: Core (Management commands) Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


There has been discussion of integrating something similar to django-secure into Django core, to help users check some common deployment mis-configurations. We probably want to use a name like "checkdeploy" rather than "checksecure", both to allow for a broader range of checks to be included, and to avoid giving users a false sense that a successful runs means their code is secure.

This would include checking SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, X_FRAME_OPTIONS (and the middleware); these are all things which django-secure currently checks.

It could also include checking for common python path issues, existence of 500/404 templates (if you're using the default 404/500 handlers)...

And of course it should be pluggable so third-party apps can provide additional checks that users can include (and users should be able to disable built-in checks if they determine it doesn't apply to them for whatever reason).

Change History (4)

comment:1 Changed 12 years ago by Preston Holmes

Triage Stage: UnreviewedAccepted

A couple quick thoughts to attach to this idea:

The solution should work well with automated deployment workflows, I can't see why a management command would be limiting for this in any way - and django-secure is already well factored to allow the checks to be used outside of the management command context. Just mentioning.

It would be nice to support multiple outputs. In addition to the standard human readable console output, a machine parseable format, and a shiny HTML grid format.

comment:2 Changed 9 years ago by Tim Graham

Has patch: set
Owner: changed from nobody to Tim Graham
Patch needs improvement: set
Status: newassigned
Version: 1.3master

I'm working on this as part of integrating django-secure.

I've implemented the ability to register "deployment checks" by adding deploy=True to register(), e.g. @register("tag_name", deploy=True). These checks are only run if you pass the --deploy flag to check. So in development you can run check --deploy --settings=settings_prod to check your production settings file. Running these checks automatically if DEBUG is False would likely give them better visibility, but I don't see an easy way of disabling them when testing if we did that.

django-developers thread.

comment:3 Changed 9 years ago by Tim Graham

Patch needs improvement: unset
Summary: Add "checkdeploy" management commandAdd --deploy option to check management command

comment:4 Changed 9 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 52ef6a47269a455113d95992f868939131f9c10c:

Fixed #17101 -- Integrated django-secure and added check --deploy option

Thanks Carl Meyer for django-secure and for reviewing.

Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.

Note: See TracTickets for help on using tickets.
Back to Top