add settings/functionality to have HSTS include subdomains

carljm · Feb 23, 2012 · 6664ad6 · 6664ad6
1 parent bb9a1e4
commit 6664ad6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/djangosecure/conf.py b/djangosecure/conf.py
@@ -19,6 +19,7 @@ def __getattr__(self, k):
 
 conf = Configuration(
     SECURE_HSTS_SECONDS=0,
+    SECURE_HSTS_INCLUDE_SUBDOMAINS=False,
     SECURE_FRAME_DENY=False,
     SECURE_CONTENT_TYPE_NOSNIFF=False,
     SECURE_BROWSER_XSS_FILTER=False,

diff --git a/djangosecure/middleware.py b/djangosecure/middleware.py
@@ -8,6 +8,7 @@
 class SecurityMiddleware(object):
     def __init__(self):
         self.sts_seconds = conf.SECURE_HSTS_SECONDS
+        self.sts_include_subdomains = conf.SECURE_HSTS_INCLUDE_SUBDOMAINS
         self.frame_deny = conf.SECURE_FRAME_DENY
         self.content_type_nosniff = conf.SECURE_CONTENT_TYPE_NOSNIFF
         self.xss_filter = conf.SECURE_BROWSER_XSS_FILTER
@@ -45,8 +46,12 @@ def process_response(self, request, response):
         if (self.sts_seconds and
                 request.is_secure() and
                 not 'strict-transport-security' in response):
-            response["strict-transport-security"] = ("max-age=%s"
-                                                     % self.sts_seconds)
+            sts_header = ("max-age=%s" % self.sts_seconds)
+
+            if self.sts_include_subdomains:
+                sts_header = sts_header + "; includeSubDomains"
+
+            response["strict-transport-security"] = sts_header
 
         if (self.content_type_nosniff and
                 not 'x-content-type-options' in response):