From 3e3424aa174b4b1bf87cce7b14d3ba00f30fa82a Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Fri, 27 Oct 2017 03:27:48 +0000
Subject: [PATCH] hsts

---
 helios/security.py | 7 +++++++
 settings.py        | 8 ++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/helios/security.py b/helios/security.py
index 971499e..c022821 100644
--- a/helios/security.py
+++ b/helios/security.py
@@ -20,6 +20,13 @@ import urllib
 
 import helios
 
+
+class HSTSMiddleware:
+    def process_response(self, request, response):
+        if settings.STS:
+          response['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload"
+        return response
+        
 # current voter
 def get_voter(request, user, election):
   """
diff --git a/settings.py b/settings.py
index 45a9357..9a580de 100644
--- a/settings.py
+++ b/settings.py
@@ -101,10 +101,13 @@ if (get_from_env('SSL', '0') == '1'):
 SESSION_COOKIE_HTTPONLY = True
 
 # let's go with one year because that's the way to do it now
+STS = False
 if (get_from_env('HSTS', '0') == '1'):
-    SECURE_HSTS_SECONDS = 31536000
+    STS = True
+    # we're using our own custom middleware now
+    # SECURE_HSTS_SECONDS = 31536000
     # not doing subdomains for now cause that is not likely to be necessary and can screw things up.
-    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    # SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
@@ -121,6 +124,7 @@ MIDDLEWARE_CLASSES = (
 
     # secure a bunch of things
     'djangosecure.middleware.SecurityMiddleware',
+    'helios.security.HSTSMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 
     'django.middleware.common.CommonMiddleware',
-- 
GitLab