Create new config section for web security settings (#2815)

* Document the new config section
* Add a link to the correct config-file from settings.py

Author: hmpf

NOTES.rst

@@ -8,6 +8,22 @@ existing bug reports, go to https://github.com/uninett/nav/issues .
 To see an overview of upcoming release milestones and the issues they resolve,
 please go to https://github.com/uninett/nav/milestones .
 
+NAV 5.9
+=======
+
+Web security
+------------
+
+While it is only relevant for older browsers, the HTTP header
+``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers
+that do not support it after all.
+
+There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When
+running in production with SSL/TLS turned on, there's a new flag ``needs_tls``
+that should also be toggled on. This'll turn on secure cookies (only sent over
+SSL/TLS). See also the new howto
+:doc:`Securing NAV in production </howto/securing-nav-in-production>`.
+
 NAV 5.8
 =======
 

doc/howto/index.rst

@@ -19,3 +19,4 @@ Howtos
    setting-up-logging
    using_the_api
    api_parameters
+   securing-nav-in-production

doc/howto/securing-nav-in-production.rst

@@ -0,0 +1,26 @@
+==========================
+Securing NAV in production
+==========================
+
+Overview
+========
+
+The default configuration of NAV is set up to work well during development, but
+needs to be tightened when running in production.
+
+NAV consists of pages controlled by NAV itself, and pages served directly by
+the web server. Security features for NAV's own pages are controlled via the
+``[security]``-section in the file :file:`webfront/webfront.conf`, while
+security for the other pages are controlled directly by the web server.
+
+
+SSL/TLS
+=======
+
+This needs to be turned on in the webserver itself. While there is no reason to
+serve any of NAV without SSL/TLS turned off, it is especially important for the
+pages controlled by NAV.
+
+When the server serves NAV with SSL/TLS, ensure that the ``needs_tls``-flag in
+the ``[security]``-section is set to ``yes``. This explicitly turns on secure
+cookies, which is dependent on SSL being in use.

python/nav/django/settings.py

@@ -29,6 +29,7 @@
 from nav.db import get_connection_parameters
 import nav.buildconf
 from nav.jwtconf import JWTConf
+from nav.web.security import WebSecurityConfigParser
 
 ALLOWED_HOSTS = ['*']
 
@@ -252,6 +253,21 @@
     'nav.web.info.searchproviders.UnrecognizedNeighborSearchProvider',
 ]
 
+## Web security options supported by Django
+# * https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
+# * https://docs.djangoproject.com/en/3.2/topics/http/sessions/
+# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/
+#
+# Configured in etc/webfront/webfront.conf:
+#  [security]
+#  needs_tls = yes
+
+SECURE_BROWSER_XSS_FILTER = True  # Does no harm
+
+_websecurity_config = WebSecurityConfigParser()
+_needs_tls = bool(_websecurity_config.getboolean('security', 'needs_tls'))
+SESSION_COOKIE_SECURE = _needs_tls
+
 # Hack for hackers to use features like debug_toolbar etc.
 # https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
 if _config_dir:

python/nav/etc/webfront/webfront.conf

@@ -130,3 +130,9 @@ enabled = no
 # Some remote user systems need to be visited *after* NAV has logged the user
 # out. The default/unset value is "/"
 #post-logout-redirect-url=/magic/logout?nexthop=/
+
+[security]
+# Whether NAV must be run under TLS or not. Toggling this to `yes` toggles web
+# security features that are only available with TLS/SSL enabled. In
+# development mode this defaults to `no`.
+# needs_tls = no

python/nav/web/security.py

@@ -0,0 +1,11 @@
+from pathlib import Path
+
+from nav.config import NAVConfigParser
+
+
+class WebSecurityConfigParser(NAVConfigParser):
+    DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')]
+    DEFAULT_CONFIG = u"""
+[security]
+needs_tls=no
+"""