Look at implementing HTTP Strict Transport Security

[thekaveman]

HTTP Strict Transport Security or HSTS:

For sites that should only be accessed over HTTPS, you can instruct modern browsers to refuse to connect to your domain name via an insecure connection (for a given period of time) by setting the “Strict-Transport-Security” header. This reduces your exposure to some SSL-stripping man-in-the-middle (MITM) attacks.

From https://docs.djangoproject.com/en/3.2/ref/middleware/#http-strict-transport-security. We may want/need to do this at the Nginx level instead, see https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Crucial to this decision is the understanding that the AWS Load Balancer Azure App Service handles SSL connections for this app, and not the Django/Nginx system; the domain's certs and HTTP -> HTTPS redirection is all managed at the AWS Load Balancer App Service level.

See for example this app's nginx.conf in which the Nginx server is listening on port 8000 for connections - this is because the Load Balancer sits between the user and Nginx, handling the SSL and translation into the app container. In which case, trying to set this from within the app container may cause more problems than it solves.

[afeld]

Also identified by Jemurai through Burp. Can test at:

https://securityheaders.com/?q=https%3A%2F%2Ftest-benefits.calitp.org&followRedirects=on

[thekaveman]

Needs more investigation into how to do this outside of the app / within Azure's infrastructure.

[thekaveman]

This is not a priority for now, Azure handles SSL termination.