Skip to content

fix: Remove wildcard CSRF origin and add production security settings #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spalmurray merged 2 commits into from
Apr 9, 2026

Remove HSTS settings, handled by IAP/Cloud Run

d7125cb
Select commit
Loading
Failed to load commit list.
Sign in for the full log view
Merged

fix: Remove wildcard CSRF origin and add production security settings #145

Remove HSTS settings, handled by IAP/Cloud Run
d7125cb
Select commit
Loading
Failed to load commit list.
GitHub Actions / warden: code-review completed Apr 8, 2026 in 25s

1 issue

code-review: Found 1 issue (1 medium)

Medium

HSTS security setting mentioned in PR description but not implemented - `src/firetower/settings.py:94-99`

The PR description states '1-hour HSTS' should be added, but no SECURE_HSTS_SECONDS setting is present in the code. Without HSTS, browsers won't be instructed to only use HTTPS for future requests, leaving users vulnerable to SSL stripping attacks during the first connection.

Duration: 23.8s · Tokens: 21.3k in / 500 out · Cost: $0.06

Annotations

Check warning on line 99 in src/firetower/settings.py

See this annotation in the file changed.

@github-actions github-actions / warden: code-review

HSTS security setting mentioned in PR description but not implemented 

The PR description states '1-hour HSTS' should be added, but no SECURE_HSTS_SECONDS setting is present in the code. Without HSTS, browsers won't be instructed to only use HTTPS for future requests, leaving users vulnerable to SSL stripping attacks during the first connection.
View more details on GitHub Actions