Harden Django project configuration

Set session and CSRF cookies as secure for production. Set HSTS header to let browser remember HTTPS for 1 year.
2022-03-09 12:12:56 +01:00 · 2022-03-09 12:12:56 +01:00 · df5f9b5f1e
parent 5f69232560
commit df5f9b5f1e
1 changed files with 9 additions and 0 deletions
--- a/note_kfet/settings/base.py
+++ b/note_kfet/settings/base.py
@ -24,6 +24,15 @@ ALLOWED_HOSTS = [
    os.getenv('NOTE_URL', 'localhost'),
 ]

+# Use secure cookies in production
+SESSION_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SECURE = not DEBUG
+
+# Remember HTTPS for 1 year
+SECURE_HSTS_SECONDS = 31536000
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+

 # Application definition