From 04ad8dff30e8b9aa0655d826914c54504c03f104 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Fri, 27 Oct 2017 02:54:41 +0000
Subject: [PATCH] hsts upgrade

---
 settings.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/settings.py b/settings.py
index fad1256..fa5127b 100644
--- a/settings.py
+++ b/settings.py
@@ -100,11 +100,11 @@ if (get_from_env('SSL', '0') == '1'):
 
 SESSION_COOKIE_HTTPONLY = True
 
-# one week HSTS seems like a good balance for MITM prevention
+# let's go with one year because that's the way to do it now
 if (get_from_env('HSTS', '0') == '1'):
-    SECURE_HSTS_SECONDS = 3600 * 24 * 7
+    SECURE_HSTS_SECONDS = 52 * 3600 * 24 * 7
     # not doing subdomains for now cause that is not likely to be necessary and can screw things up.
-    SECURE_HSTS_INCLUDE_SUBDOMAINS = False
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
-- 
GitLab