hsts

helios/security.py

@@ -20,6 +20,13 @@ import urllib
 
 import helios
 
+
+class HSTSMiddleware:
+    def process_response(self, request, response):
+        if settings.STS:
+          response['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload"
+        return response
+        
 # current voter
 def get_voter(request, user, election):
   """

settings.py

@@ -101,10 +101,13 @@ if (get_from_env('SSL', '0') == '1'):
 SESSION_COOKIE_HTTPONLY = True
 
 # let's go with one year because that's the way to do it now
+STS = False
 if (get_from_env('HSTS', '0') == '1'):
-    SECURE_HSTS_SECONDS = 31536000
+    STS = True
+    # we're using our own custom middleware now
+    # SECURE_HSTS_SECONDS = 31536000
     # not doing subdomains for now cause that is not likely to be necessary and can screw things up.
-    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    # SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
@@ -121,6 +124,7 @@ MIDDLEWARE_CLASSES = (
 
     # secure a bunch of things
     'djangosecure.middleware.SecurityMiddleware',
+    'helios.security.HSTSMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 
     'django.middleware.common.CommonMiddleware',