From 48c056b210b9fa1029af2954eff7e8e8c46fd684 Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 9 Mar 2022 12:30:18 +0100
Subject: [PATCH] Harden Django project configuration

Set session and CSRF cookies as secure for production.
Set HSTS header to let browser remember HTTPS for 1 year.
---
 med/settings.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/med/settings.py b/med/settings.py
index 1c90644..34cb304 100644
--- a/med/settings.py
+++ b/med/settings.py
@@ -26,6 +26,16 @@ SITE_ID = 1
 
 ALLOWED_HOSTS = ['127.0.0.1']
 
+# Use secure cookies in production
+SESSION_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SECURE = not DEBUG
+
+# Remember HTTPS for 1 year
+SECURE_HSTS_SECONDS = 31536000
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+
+
 # Application definition
 
 INSTALLED_APPS = [