Implement newsletter double opt-in email flow and CSP nonce headers

apps/core/middleware.py

@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+import secrets
+
 from .consent import ConsentService
 
 
@@ -10,3 +12,26 @@ class ConsentMiddleware:
     def __call__(self, request):
         request.consent = ConsentService.get_consent(request)
         return self.get_response(request)
+
+
+class SecurityHeadersMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        nonce = secrets.token_urlsafe(16)
+        request.csp_nonce = nonce
+        response = self.get_response(request)
+        response["Content-Security-Policy"] = (
+            f"default-src 'self'; "
+            f"script-src 'self' 'nonce-{nonce}'; "
+            "style-src 'self'; "
+            "img-src 'self' data: blob:; "
+            "font-src 'self'; "
+            "connect-src 'self'; "
+            "object-src 'none'; "
+            "base-uri 'self'; "
+            "frame-ancestors 'self'"
+        )
+        response["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
+        return response

apps/core/tests/test_security.py

@@ -0,0 +1,24 @@
+import re
+
+import pytest
+
+
+@pytest.mark.django_db
+def test_security_headers_present(client, home_page):
+    resp = client.get("/")
+    assert resp.status_code == 200
+    assert "Content-Security-Policy" in resp
+    assert "Permissions-Policy" in resp
+    assert "unsafe-inline" not in resp["Content-Security-Policy"]
+    assert "script-src" in resp["Content-Security-Policy"]
+
+
+@pytest.mark.django_db
+def test_csp_nonce_applied_to_inline_script(client, home_page):
+    resp = client.get("/")
+    csp = resp["Content-Security-Policy"]
+    match = re.search(r"nonce-([^' ;]+)", csp)
+    assert match
+    nonce = match.group(1)
+    html = resp.content.decode()
+    assert f'nonce="{nonce}"' in html