Tuesday, 11 October 2022

HTTPS Strict transfer security and django Strict -Transport-secruity header

 https://stackoverflow.com/questions/49166768/setting-secure-hsts-seconds-can-irreversibly-break-your-site


https://docs.djangoproject.com/en/4.1/ref/middleware/

https://www.stackhawk.com/blog/django-http-strict-transport-security-guide-what-it-is-and-how-to-enable-it/


HTTP Strict Transport Security

HTTP Strict Transport Security lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. It consists in one HTTP header, Strict-Transport-Security, sent back by the server with the resource.



To enforce it in django set the following three in settings.py :

 https://docs.djangoproject.com/en/4.1

SECURE_HSTS_INCLUDE_SUBDOMAINS

Default: False

If True, the SecurityMiddleware adds the includeSubDomains directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.

Warning

Setting this incorrectly can irreversibly (for the value of SECURE_HSTS_SECONDS) break your site. Read the HTTP Strict Transport Security documentation first.

SECURE_HSTS_PRELOAD

Default: False

If True, the SecurityMiddleware adds the preload directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.

SECURE_HSTS_SECONDS

Default: 0

If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security header on all responses that do not already have it.

Warning

Setting this incorrectly can irreversibly (for some time) break your site. Read the HTTP Strict Transport Security documentation first./ref/settings/



SECURE_HSTS_SECONDS !!!!!!!!caution!!!!!!!!! set to 60s to try it out first

In other words, if you set the value of SECURE_HSTS_SECONDS to e.g. 518400 (6 days) your web server will inform your client's browser the first time he visits your site to exclusively access your website over https in the future. This applies to the entire defined period. If for any reason you no longer provide access to your website over https the browser couldn't access your services anymore.

Therefore, you should initially set this variable to a low value of like 60s and make sure that everything works as expected, otherwise you could prevent yourself and your client from visiting your site.


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)