From 3e3424aa174b4b1bf87cce7b14d3ba00f30fa82a Mon Sep 17 00:00:00 2001 From: Ben Adida <ben@adida.net> Date: Fri, 27 Oct 2017 03:27:48 +0000 Subject: [PATCH] hsts --- helios/security.py | 7 +++++++ settings.py | 8 ++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/helios/security.py b/helios/security.py index 971499e..c022821 100644 --- a/helios/security.py +++ b/helios/security.py @@ -20,6 +20,13 @@ import urllib import helios + +class HSTSMiddleware: + def process_response(self, request, response): + if settings.STS: + response['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload" + return response + # current voter def get_voter(request, user, election): """ diff --git a/settings.py b/settings.py index 45a9357..9a580de 100644 --- a/settings.py +++ b/settings.py @@ -101,10 +101,13 @@ if (get_from_env('SSL', '0') == '1'): SESSION_COOKIE_HTTPONLY = True # let's go with one year because that's the way to do it now +STS = False if (get_from_env('HSTS', '0') == '1'): - SECURE_HSTS_SECONDS = 31536000 + STS = True + # we're using our own custom middleware now + # SECURE_HSTS_SECONDS = 31536000 # not doing subdomains for now cause that is not likely to be necessary and can screw things up. - SECURE_HSTS_INCLUDE_SUBDOMAINS = True + # SECURE_HSTS_INCLUDE_SUBDOMAINS = True SECURE_BROWSER_XSS_FILTER = True SECURE_CONTENT_TYPE_NOSNIFF = True @@ -121,6 +124,7 @@ MIDDLEWARE_CLASSES = ( # secure a bunch of things 'djangosecure.middleware.SecurityMiddleware', + 'helios.security.HSTSMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.common.CommonMiddleware', -- GitLab