Skip to content

fix: Remove wildcard CSRF origin and add production security settings #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spalmurray merged 2 commits into from
Apr 9, 2026
+8 −1

Remove HSTS settings, handled by IAP/Cloud Run

d7125cb
Select commit
Loading
Failed to load commit list.
Merged

fix: Remove wildcard CSRF origin and add production security settings #145

Remove HSTS settings, handled by IAP/Cloud Run
d7125cb
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: code-review completed Apr 8, 2026 in 32s

1 issue

code-review: Found 1 issue (1 low)

Low

HSTS setting mentioned in PR description is not implemented - `src/firetower/settings.py:94-99`

The PR description mentions '1-hour HSTS' as a security setting being added, but the code does not include SECURE_HSTS_SECONDS. If HSTS is intended to protect against protocol downgrade attacks, this setting should be added (e.g., SECURE_HSTS_SECONDS = 3600). The current implementation omits this security header while the PR claims it's included.

Duration: 28.6s · Tokens: 45.5k in / 1.3k out · Cost: $0.12 (+fix_gate: $0.00)

View more details on @sentry/warden