VDP: https://free.law/vulnerability-disclosure-policy/

When DEBUG=False, Django enables these security settings:

• SECRET_KEY auto-generated at runtime (Docker entrypoint)
• GROQ_API_KEY in .env file (gitignored)

• Uses Docker secrets mounted at /run/secrets/
• Never stored on disk or in environment variables visible to docker inspect

# Create production secrets
mkdir -p secrets
python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())" > secrets/django_secret_key.txt
echo "your-secure-password" > secrets/db_password.txt
chmod 600 secrets/*.txt

See secrets/README.md for details.

CSP prevents XSS attacks by controlling which resources can load.

Settings in config/settings.py:

CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "https://cdn.jsdelivr.net")
CSP_STYLE_SRC = ("'self'",)
# ... see settings.py for full config

Pre-commit (static analysis):

• csp-inline-check hook blocks onclick=, onload=, etc.
• Run: pre-commit run csp-inline-check --all-files

Browser (manual):

1. Open DevTools → Console
2. CSP violations appear as errors
3. Check Content-Security-Policy header in Network tab

Selenium (future - with Docker):

# Example: Verify no CSP violations in browser console
from selenium import webdriver

def test_no_csp_violations(live_server):
    driver = webdriver.Chrome()
    driver.get(live_server.url)

    logs = driver.get_log('browser')
    csp_errors = [l for l in logs if 'Content Security Policy' in l['message']]

    assert len(csp_errors) == 0, f"CSP violations: {csp_errors}"
    driver.quit()