Security Model¶

OpenSESA applies layered security controls through environment-based configuration, middleware enforcement, and secure defaults.

Security Layers¶

flowchart TD
    A[Environment Configuration] --> B[Framework and Middleware Controls]
    B --> C[Authentication and MFA Policies]
    C --> D[Request-level Authorization]
    D --> E[Audit and Operational Controls]

Configuration¶

Security-critical settings are environment-driven:

• SECRET_KEY is mandatory.
• DEBUG defaults to false unless explicitly enabled.
• DJANGO_ALLOWED_HOSTS and CSRF trusted origins are configurable.

Additional security defaults include secure cookies, HSTS in non-debug mode, content type protections, and frame restrictions.

Middleware¶

The middleware stack includes:

• django.middleware.security.SecurityMiddleware
• custom core.middleware.SecurityHeadersMiddleware
• authentication and session middleware
• core.middleware.MFARequiredMiddleware
• core.middleware.LoginRequiredMiddleware

Request Security Flow¶

sequenceDiagram
    participant U as User
    participant M1 as SecurityMiddleware
    participant M2 as Session/Auth Middleware
    participant M3 as MFARequiredMiddleware
    participant M4 as LoginRequiredMiddleware
    participant V as View

    U->>M1: HTTP request
    M1->>M2: apply headers and baseline security
    M2->>M3: resolve authenticated user
    M3->>M4: enforce MFA policy scope
    M4->>V: enforce login requirement
    V-->>U: authorized response

Headers¶

The project configures defense-in-depth headers such as:

• Content Security Policy
• Permissions Policy
• HSTS (enabled in non-debug mode)

Authentication¶

Django allauth is used with email-based authentication and MFA support.

Operational Security Practices¶

• Keep secrets in environment variables, not committed files.
• Use production-safe cookie and TLS settings in non-debug deployments.
• Review authentication and MFA behavior when changing middleware order.
• Validate host and CSRF trusted origin settings in every environment.