Configuration Reference
All options are configured in your settings.py under the NIS2_SHIELD dictionary.
๐ Security Keys
| Option | Type | Default | Description |
|---|---|---|---|
| INTEGRITY_KEY | string | Required | Secret key for HMAC-SHA256 log signing |
| ENCRYPTION_KEY | bytes | None | Fernet key for PII encryption. Generate with
Fernet.generate_key()
|
from cryptography.fernet import Fernet
NIS2_SHIELD = {
'INTEGRITY_KEY': os.environ.get('NIS2_INTEGRITY_KEY'),
'ENCRYPTION_KEY': os.environ.get('NIS2_ENCRYPTION_KEY').encode(),
}๐ Privacy (GDPR)
| Option | Type | Default | Description |
|---|---|---|---|
| ANONYMIZE_IPS | bool | True | Anonymize last octet of IP addresses |
| ENCRYPT_PII | bool | True | Encrypt PII fields in logs |
| PII_FIELDS | list | ['user_id', 'email', 'ip', 'user_agent'] | Fields to encrypt |
โฑ๏ธ Rate Limiting
| Option | Type | Default | Description |
|---|---|---|---|
| ENABLE_RATE_LIMIT | bool | True | Enable rate limiting |
| RATE_LIMIT_THRESHOLD | int | 100 | Max requests per window |
| RATE_LIMIT_WINDOW | int | 60 | Window size in seconds |
| RATE_LIMIT_ALGORITHM | string | 'sliding_window' | 'sliding_window' or 'fixed_window' |
v0.3.1+: Sliding window algorithm provides more accurate rate limiting without boundary issues.
๐ก๏ธ Session Guard
| Option | Type | Default | Description |
|---|---|---|---|
| ENABLE_SESSION_GUARD | bool | True | Enable session hijacking protection |
| SESSION_IP_TOLERANCE | string | 'subnet' | 'exact', 'subnet', or 'none' |
๐ง Tor Blocking
| Option | Type | Default | Description |
|---|---|---|---|
| BLOCK_TOR_EXIT_NODES | bool | False | Block Tor exit nodes |
๐ MFA Gatekeeper
| Option | Type | Default | Description |
|---|---|---|---|
| ENFORCE_MFA_ROUTES | list | [] | URL prefixes requiring MFA |
| MFA_SESSION_FLAG | string | 'is_verified_mfa' | Session key indicating MFA complete |
| MFA_REDIRECT_URL | string | '/mfa/verify/' | Redirect URL for MFA verification |
๐ Webhooks v0.3.1+
| Option | Type | Default | Description |
|---|---|---|---|
| ENABLE_WEBHOOKS | bool | False | Enable webhook notifications |
| WEBHOOK_ASYNC | bool | True | Send webhooks asynchronously |
| WEBHOOKS | list | [] | List of webhook configurations |
NIS2_SHIELD = {
'ENABLE_WEBHOOKS': True,
'WEBHOOKS': [
{'url': 'https://hooks.slack.com/services/...', 'format': 'slack'},
{'url': 'https://outlook.office.com/webhook/...', 'format': 'teams'},
{'url': 'https://discord.com/api/webhooks/...', 'format': 'discord'},
{'url': 'https://your-siem.com/api/alerts', 'format': 'json'},
]
}๐ Full Configuration Example
from cryptography.fernet import Fernet
import os
NIS2_SHIELD = {
# Security Keys
'INTEGRITY_KEY': os.environ.get('NIS2_INTEGRITY_KEY', 'dev-key'),
'ENCRYPTION_KEY': os.environ.get('NIS2_ENCRYPTION_KEY', '').encode() or None,
# Privacy (GDPR)
'ANONYMIZE_IPS': True,
'ENCRYPT_PII': True,
'PII_FIELDS': ['user_id', 'email', 'ip', 'user_agent'],
# Rate Limiting
'ENABLE_RATE_LIMIT': True,
'RATE_LIMIT_THRESHOLD': 100,
'RATE_LIMIT_WINDOW': 60,
'RATE_LIMIT_ALGORITHM': 'sliding_window',
# Session Guard
'ENABLE_SESSION_GUARD': True,
'SESSION_IP_TOLERANCE': 'subnet',
# Tor Blocking
'BLOCK_TOR_EXIT_NODES': True,
# MFA
'ENFORCE_MFA_ROUTES': ['/admin/', '/finance/', '/api/sensitive/'],
'MFA_SESSION_FLAG': 'is_verified_mfa',
'MFA_REDIRECT_URL': '/accounts/mfa/verify/',
# Webhooks
'ENABLE_WEBHOOKS': True,
'WEBHOOK_ASYNC': True,
'WEBHOOKS': [
{'url': os.environ.get('SLACK_WEBHOOK_URL'), 'format': 'slack'},
]
}