Skip to content

Commit

Permalink
Lock this baby down. Thanks, PaulM.
Browse files Browse the repository at this point in the history
  • Loading branch information
@jacobian
jacobian committed Sep 8, 2011
1 parent d92c4d3 commit 4073083
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
1 change: 1 addition & 0 deletions deploy-requirements.txt
View file
Expand Up @@ -5,6 +5,7 @@ Django >= 1.3, < 1.4
django-haystack == 1.1.0
django-push == 0.4
django-registration == 0.7
django-secure == 0.1.0
docutils >= 0.6, < 0.7
FeedParser >= 5.0, <= 5.1
Jinja2 >= 2.4, < 2.5
Expand Down
12 changes: 12 additions & 0 deletions django_website/settings/www.py
View file
Expand Up @@ -67,6 +67,7 @@
'django_website.docs',
'registration',
'south',
'djangosecure',
]

CACHE_MIDDLEWARE_SECONDS = 60 * 5 # 5 minutes
Expand All @@ -75,7 +76,9 @@
CACHE_MIDDLEWARE_ANONYMOUS_ONLY = True

MIDDLEWARE_CLASSES = [
'djangosecure.middleware.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware',
Expand Down Expand Up @@ -161,6 +164,15 @@
PUSH_CREDENTIALS = 'django_website.aggregator.utils.push_credentials'
PUSH_SSL_CALLBACK = PRODUCTION

# Lock down some security stuff
if PRODUCTION:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SECURE_SSL_REDIRECT = True
SECURE_FRAME_DENY = True
SECURE_HSTS_SECONDS = 600
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTOCOL", "SSL")

# If django-debug-toolbar is installed enable it.
if not PRODUCTION:
try:
Expand Down

0 comments on commit 4073083

Please sign in to comment.