seo & security improvements

[t-book]

This issue collects Ideas for improvements regarding SEO and security.

SEO

robots.txt

Add a robots.txt which defines how crawlers index a geonode instance. A possible solution is to simply add a new URL together with an example robots.txt like:

urlpatterns = [
    # ...
    path(
        "robots.txt",
        TemplateView.as_view(template_name="robots.txt", content_type="text/plain"),
    ),
]

sitemap

Add a sitemap to geonode which helps search engines to correctly index your pages and higher the seo ranking. For this job we can use the sitemap framework which comes with Django: https://docs.djangoproject.com/en/3.0/ref/contrib/sitemaps/

More about why sitemaps are still important for example here: https://www.searchenginejournal.com/html-sitemap-importance/325405/

Security

Password strength

GeoNode currently expects a password to have a length of 6 characters as the only requirement. (This allows insufficient combination like geonode/geonode or username/password )

We could improve security by using Djangos inbuilt password Validators

• UserAttributeSimilarityValidator, which checks the similarity between the password and a set of attributes of the user.
• MinimumLengthValidator, which checks whether the password meets a minimum length. This validator is configured with a custom option: it now requires the minimum length to be nine characters, instead of the default eight.
• CommonPasswordValidator, which checks whether the password occurs in a list of common passwords. By default, it compares to an included list of 20,000 common passwords.
• NumericPasswordValidator, which checks whether the password isn’t entirely numeric.

https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#enabling-password-validation

Personally I would welcome UserAttributeSimilarityValidator and NumericPasswordValidator to be added. Plus a third custom validator which forces the user to choose a combination between characters, numbers and special chars.

Block user failed login attempts

A further improvement in security is to block users after x failed login attempts for y minutes/hours. This lowers the risks of password list penetrations and avoids unneeded server load. Possible candidates:

• https://github.com/jazzband/django-defender
• https://github.com/jazzband/django-axes

[afabiani]

++ very good, thanks @t-book

[gannebamm]

I would postpone this to 3.2? Or shall someone make a draft for 3.1?

[t-book]

@gannebamm yes +1 . I do see this ticket as Ideas for improvements nothing urgent.

[giohappy]

@t-book do you aready have a PR for this?

[t-book]

@giohappy unfortunately not. this is only in the state of suggestion. (we can close if you want)

[giohappy]

We can keep it around for a while. We were considering some SEO optimizations for master branchs.