Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Lock this baby down. Thanks, PaulM.

  • Loading branch information...
commit 40730832663332450982e84eb271fd36800ca0f1 1 parent d92c4d3
Jacob Kaplan-Moss authored September 08, 2011
1  deploy-requirements.txt
@@ -5,6 +5,7 @@ Django >= 1.3, < 1.4
5 5
 django-haystack == 1.1.0
6 6
 django-push == 0.4
7 7
 django-registration == 0.7
  8
+django-secure == 0.1.0
8 9
 docutils >= 0.6, < 0.7
9 10
 FeedParser >= 5.0, <= 5.1
10 11
 Jinja2 >= 2.4, < 2.5
12  django_website/settings/www.py
@@ -67,6 +67,7 @@
67 67
     'django_website.docs',
68 68
     'registration',
69 69
     'south',
  70
+    'djangosecure',
70 71
 ]
71 72
 
72 73
 CACHE_MIDDLEWARE_SECONDS = 60 * 5 # 5 minutes
@@ -75,7 +76,9 @@
75 76
 CACHE_MIDDLEWARE_ANONYMOUS_ONLY = True
76 77
 
77 78
 MIDDLEWARE_CLASSES = [
  79
+    'djangosecure.middleware.SecurityMiddleware',
78 80
     'django.contrib.sessions.middleware.SessionMiddleware',
  81
+    'django.middleware.csrf.CsrfViewMiddleware',
79 82
     'django.contrib.auth.middleware.AuthenticationMiddleware',
80 83
     'django.middleware.common.CommonMiddleware',
81 84
     'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware',
@@ -161,6 +164,15 @@
161 164
 PUSH_CREDENTIALS = 'django_website.aggregator.utils.push_credentials'
162 165
 PUSH_SSL_CALLBACK = PRODUCTION
163 166
 
  167
+# Lock down some security stuff
  168
+if PRODUCTION:
  169
+    SESSION_COOKIE_SECURE = True
  170
+    SESSION_COOKIE_HTTPONLY = True
  171
+    SECURE_SSL_REDIRECT = True
  172
+    SECURE_FRAME_DENY = True
  173
+    SECURE_HSTS_SECONDS = 600
  174
+    SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTOCOL", "SSL")
  175
+
164 176
 # If django-debug-toolbar is installed enable it.
165 177
 if not PRODUCTION:
166 178
     try:

0 notes on commit 4073083

Please sign in to comment.
Something went wrong with that request. Please try again.