Harden Django project configuration

Set session and CSRF cookies as secure for production. Set HSTS header to let browser remember HTTPS for 1 year.
2024-11-26 14:07:09 +00:00 · 2022-03-09 12:30:18 +01:00 · 2022-03-09 12:30:18 +01:00 · 48c056b210
commit 48c056b210
parent cf544dc596
1 changed files with 10 additions and 0 deletions
--- a/med/settings.py
+++ b/med/settings.py
@ -26,6 +26,16 @@ SITE_ID = 1

 ALLOWED_HOSTS = ['127.0.0.1']

+# Use secure cookies in production
+SESSION_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SECURE = not DEBUG
+
+# Remember HTTPS for 1 year
+SECURE_HSTS_SECONDS = 31536000
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+
+
 # Application definition

 INSTALLED_APPS = [