Installation:
cd /usr/lib/ckan/default/src
python setup.py develop
Add to ckan.plugins:
fortify
All features are disabled by default (opt-in security):
- Force HTML resource downloads (prevent Stored XSS):
ckan.fortify.force_html_resource_downloads = True
Default: False
- Parent organization membership check (requires ckanext-hierarchy):
Verifies user is admin of parent org before allowing child org creation
ckan.fortify.check_parent_org_allowed = True
Default: False
- Anti-CSRF tokens for forms and action buttons:
ckan.fortify.enable_anti_csrf_tokens = True
Default: False
- Password policy:
ckan.fortify.enable_password_policy = True
ckan.fortify.password_policy.min_length = 12
ckan.fortify.password_policy.allow_repeated_chars = True
Defaults: False, 12, True
allow_repeated_chars = True means repeated characters are allowed
Set to False to disallow repeated characters in passwords
Each feature can be enabled independently based on security requirements.