fix: Remove wildcard CSRF origin and add production security settings #145
+8
−1
@sentry/warden / warden
completed
Apr 8, 2026 in 1m 1s
2 issues
Low
HSTS setting mentioned in PR description is not implemented - `src/firetower/settings.py:94-99`
The PR description mentions '1-hour HSTS' as a security setting being added, but the code does not include SECURE_HSTS_SECONDS. If HSTS is intended to protect against protocol downgrade attacks, this setting should be added (e.g., SECURE_HSTS_SECONDS = 3600). The current implementation omits this security header while the PR claims it's included.
PR description claims HSTS but SECURE_HSTS_SECONDS is not configured - `src/firetower/settings.py:94-99`
The PR description states '1-hour HSTS' is included, but the production security block (lines 94-99) does not include SECURE_HSTS_SECONDS or SECURE_HSTS_INCLUDE_SUBDOMAINS settings. Without these Django settings, HSTS headers will not be sent, leaving users vulnerable to SSL stripping attacks on initial connection.
5 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 22.9s | $0.15 |
| django-access-review | 0 | 24.4s | $0.10 |
| django-perf-review | 0 | 10.1s | $0.04 |
| code-review | 1 | 28.6s | $0.11 |
| find-bugs | 1 | 44.7s | $0.17 |
Duration: 2m 11s · Tokens: 297.9k in / 5.0k out · Cost: $0.58 (+fix_gate: $0.01)
Loading