Skip to content

fix: Remove wildcard CSRF origin and add production security settings #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spalmurray merged 2 commits into from
Apr 9, 2026
+8 −1

Remove HSTS settings, handled by IAP/Cloud Run

d7125cb
Select commit
Loading
Failed to load commit list.
Sign in for the full log view
Merged

fix: Remove wildcard CSRF origin and add production security settings #145

Remove HSTS settings, handled by IAP/Cloud Run
d7125cb
Select commit
Loading
Failed to load commit list.
GitHub Actions / warden: find-bugs completed Apr 8, 2026 in 30s

1 issue

find-bugs: Found 1 issue (1 medium)

Medium

Missing HSTS configuration despite PR description claiming it was added - `src/firetower/settings.py:94-99`

The PR description states '1-hour HSTS' should be added, but the code changes do not include SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, or SECURE_HSTS_PRELOAD settings. Without HSTS, browsers can be tricked into connecting over HTTP initially, exposing the application to SSL stripping attacks. This is a discrepancy between documented changes and actual implementation.

Duration: 28.9s · Tokens: 64.2k in / 1.3k out · Cost: $0.15

Annotations

Check warning on line 99 in src/firetower/settings.py

See this annotation in the file changed.

@github-actions github-actions / warden: find-bugs

Missing HSTS configuration despite PR description claiming it was added 

The PR description states '1-hour HSTS' should be added, but the code changes do not include SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, or SECURE_HSTS_PRELOAD settings. Without HSTS, browsers can be tricked into connecting over HTTP initially, exposing the application to SSL stripping attacks. This is a discrepancy between documented changes and actual implementation.
View more details on GitHub Actions