Re: Rethink (?) how we handle security headers.

[Adam Johnson]

A single SECURITY_HEADERS (or perhaps SECURITY) setting sounds good. Would
love to get CORS into core too.

The Opener-Policy ticket has been marked as someday/maybe because the
header is still not widely supported.

On Thu, 20 Aug 2020 at 00:02, James Bennett  wrote:

> While I think Adam's right that adding one or two new settings
> wouldn't be a problem, I do worry about the ongoing proliferation, and
> it's a thing that I keep wanting to try to find the time to work on
> but never actually succeed at.
>
> Separate from the suggestion of a generic way to add headers on every
> response, I've been leaning for a while toward the idea of
> consolidating the security-header settings the way we've already
> consolidated database and template settings. We can paint the bikeshed
> whatever color, but suppose for sake of an example name we add a
> SECURITY_HEADERS setting, with each one configured under its own key.
> That would allow X-Frame-Options, content sniffing, HSTS,
> Referrer-Policy, opener policy, and future stuff like CSP, built-in
> CORS, etc. to all be defined in a single place that doesn't
> proliferate a huge number of new settings, or require adding and
> supporting a new setting every time a new one comes along (which, with
> security headers, is about twice a week these days).
>
> For now I think the best thing would be to accept the opener-policy
> work as-is, then get consensus around a proposal for how future
> security headers should be handled.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAL13Cg8Uf3FdNtK6kbEdZ9Ja7sa5jhg4ptnUGotpzO8hj9B49g%40mail.gmail.com
> .
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM34YHpFGb7q0yJ_zjm-75r4Byhfoah8U30HnfQj8cUWSw%40mail.gmail.com.

Announcement of Technical Board Election Registration

[Frank Wiles]

Hello Everyone!

With the acceptance of DEP-10 we're now gearing up for our first Technical
Board Election.

If you are already a DSF Member you do not need to register, however per
DEP-10:

"Any person who can demonstrate, on application to the DSF, a history of
substantive contribution to Django or its ecosystem. Such persons are also
encouraged to apply for Individual membership in the DSF, but are not
required to do so."

If you feel you fall into this category and would like to participate in
voting in this election please register using the form on this blog post:

https://www.djangoproject.com/weblog/2020/aug/21/technical-board-election-registration/

More details about the timing and the process are included there as well.
The registration deadline to vote is next Friday August 28th AoE.

After we have captured that information we will open registration for the
election itself for one week. So be thinking about whether or not you may
want to stand for this election and serve on the Technical Board.

Please don't hesitate to contact me personally or the DSF Board directly (
foundat...@djangoproject.com) if you have any questions!

Thanks!

-
Frank Wiles
President/Founder of REVSYS & DSF President
@fwiles

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAAdm_8wO4aFKthnhwr2T3kWWJ6jb2C1a%2Br1z-kQzpkZArwOHiQ%40mail.gmail.com.