From df5f9b5f1e18ab258439cf7bbfc5fc0ae2077f5c Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Wed, 9 Mar 2022 12:12:56 +0100
Subject: [PATCH] Harden Django project configuration

Set session and CSRF cookies as secure for production.
Set HSTS header to let browser remember HTTPS for 1 year.
---
 note_kfet/settings/base.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/note_kfet/settings/base.py b/note_kfet/settings/base.py
index 2ee10c25..549399d7 100644
--- a/note_kfet/settings/base.py
+++ b/note_kfet/settings/base.py
@@ -24,6 +24,15 @@ ALLOWED_HOSTS = [
     os.getenv('NOTE_URL', 'localhost'),
 ]
 
+# Use secure cookies in production
+SESSION_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SECURE = not DEBUG
+
+# Remember HTTPS for 1 year
+SECURE_HSTS_SECONDS = 31536000
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+
 
 # Application definition