Opened 13 years ago
Closed 10 years ago
#17101 closed New feature (fixed)
Add --deploy option to check management command
| Reported by: | Carl Meyer | Owned by: | Tim Graham |
|---|---|---|---|
| Component: | Core (Management commands) | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
There has been discussion of integrating something similar to django-secure into Django core, to help users check some common deployment mis-configurations. We probably want to use a name like "checkdeploy" rather than "checksecure", both to allow for a broader range of checks to be included, and to avoid giving users a false sense that a successful runs means their code is secure.
This would include checking SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, X_FRAME_OPTIONS (and the middleware); these are all things which django-secure currently checks.
It could also include checking for common python path issues, existence of 500/404 templates (if you're using the default 404/500 handlers)...
And of course it should be pluggable so third-party apps can provide additional checks that users can include (and users should be able to disable built-in checks if they determine it doesn't apply to them for whatever reason).
Change History (4)
comment:1 by , 13 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 10 years ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
| Patch needs improvement: | set |
| Status: | new → assigned |
| Version: | 1.3 → master |
I'm working on this as part of integrating django-secure.
I've implemented the ability to register "deployment checks" by adding deploy=True to register(), e.g. @register("tag_name", deploy=True). These checks are only run if you pass the --deploy flag to check. So in development you can run manage.py check --deploy --settings=settings_prod to check your production settings file. Running these checks automatically if DEBUG is False would likely give them better visibility, but I don't see an easy way of disabling them when testing if we did that.
comment:3 by , 10 years ago
| Patch needs improvement: | unset |
|---|---|
| Summary: | Add "checkdeploy" management command → Add --deploy option to check management command |
comment:4 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
A couple quick thoughts to attach to this idea:
The solution should work well with automated deployment workflows, I can't see why a management command would be limiting for this in any way - and django-secure is already well factored to allow the checks to be used outside of the management command context. Just mentioning.
It would be nice to support multiple outputs. In addition to the standard human readable console output, a machine parseable format, and a shiny HTML grid format.