Skip to content

fix: Remove wildcard CSRF origin and add production security settings #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spalmurray merged 2 commits into from
Apr 9, 2026
+8 −1

Remove HSTS settings, handled by IAP/Cloud Run

d7125cb
Select commit
Loading
Failed to load commit list.
Merged

fix: Remove wildcard CSRF origin and add production security settings #145

Remove HSTS settings, handled by IAP/Cloud Run
d7125cb
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: find-bugs completed Apr 8, 2026 in 49s

1 issue

find-bugs: Found 1 issue (1 low)

Low

PR description claims HSTS but SECURE_HSTS_SECONDS is not configured - `src/firetower/settings.py:94-99`

The PR description states '1-hour HSTS' is included, but the production security block (lines 94-99) does not include SECURE_HSTS_SECONDS or SECURE_HSTS_INCLUDE_SUBDOMAINS settings. Without these Django settings, HSTS headers will not be sent, leaving users vulnerable to SSL stripping attacks on initial connection.

Duration: 44.7s · Tokens: 118.3k in / 1.9k out · Cost: $0.18 (+fix_gate: $0.00)

View more details on @sentry/warden