Configuration
Security considerations
Client IP address
django-digid-eherkenning extracts the client IP address from the X-Forwarded-For
HTTP request header. This is a common and popular header for reverse-proxy
configurations, however, it can be spoofed by the end-user.
Users of this library are responsible for sanitizing the value of this header. If possible, configure your web-server to set this header rather than append to it, or apply other sanitations to drop untrusted entries/parts.
If this header is not set or empty, we instead get the value from REMOTE_ADDR
.
Note
django-ipware is not suitable for security-sensitive usage as it does a best-effort attempt at obtaining the client IP.
Protecting metadata endpoints
The metdata URLs are open by design to facilitate sharing these URLs with identity providers or other interested parties. Because the metadata is generated on the fly, there is a Denial-of-Service risk. We recommend to protect these URLs at the web-server level by:
applying an IP address allow-list
applying HTTP Basic Auth
setting up rate-limiting
This concerns the following paths:
reverse("metadata:digid")
reverse("metadata:eherkenning")
reverse("metadata:eh-dienstcatalogus")
Django settings
Warning
Before 0.5.0, django-digid-eherkenning was settings driven. This has been
moved to database configuration. The DIGID
and EHERKENNING
settings have been
removed.
DIGID_SESSION_AGE
Maximum duration that a session is valid for when authenticating with DigiD, in seconds. Defaults to 900 (15 minutes).
DigiD requires sessions to expire after 15 minutes or less of inactivity.
Note
This setting is a last resort and it will expire after 15 minutes even if there is user activity. Typically you want to define a middleware in your project to extend the session duration while there is still activity.