Merge pull request #115 from uw-it-aca/develop

Develop
uw-it-aca · Sep 2, 2020 · 65e7d98 · 65e7d98
2 parents 60e5145 + 8775c0d
commit 65e7d98
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/project/base_settings/auth_settings.py b/project/base_settings/auth_settings.py
@@ -90,8 +90,15 @@ def auth_from_env(auth):
 if _auth:
     INSTALLED_APPS.append('blti')
 
+    MIDDLEWARE.remove('django.middleware.clickjacking.XFrameOptionsMiddleware')
     MIDDLEWARE.insert(0, 'blti.middleware.SessionHeaderMiddleware')
     MIDDLEWARE.insert(0, 'blti.middleware.CSRFHeaderMiddleware')
+    MIDDLEWARE.insert(0, 'blti.middleware.SameSiteMiddleware')
+
+    # relax samesite (django-blti>=2.2.1),
+    # but protect cookies from casual snooping
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
 
     LTI_ENFORCE_SSL = parse_bool_from_str(os.getenv('LTI_ENFORCE_SSL', 'False'))