Add django-secure. HTTPS always!

app/settings.py

@@ -26,6 +26,7 @@
 SESSION_REDIS_DB = CACHES['default']['OPTIONS']['DB']
 SESSION_REDIS_PASSWORD = CACHES['default']['OPTIONS']['PASSWORD']
 SESSION_REDIS_PREFIX = 'sess'
+SESSION_COOKIE_SECURE = True
 
 # Use Redis as the broker for Celery tasks
 BROKER_URL = (lambda password, db: 'redis://:%%s@%(LOCATION)s/%%d' \
@@ -141,6 +142,7 @@
 )
 
 MIDDLEWARE_CLASSES = (
+    'djangosecure.middleware.SecurityMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
@@ -178,8 +180,18 @@
     'gunicorn',
     'raven.contrib.django',
     'djcelery',
+    'djangosecure',
 )
 
+# Security
+SECURE_SSL_REDIRECT = True
+SECURE_HSTS_SECONDS = 60 * 60  # 1 hour
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_FRAME_DENY = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+
 # A sample logging configuration. The only tangible logging
 # performed by this configuration is to send an email to
 # the site admins on every HTTP 500 error when DEBUG=False.

requirements.txt

@@ -6,13 +6,15 @@ billiard==2.7.3.28
 boto==2.6.0
 celery==3.0.19
 celery-with-redis==3.0
+distribute==0.6.34
 dj-database-url==0.2.1
 django-celery==3.0.17
 django-celery-with-redis==3.0
 django-heroku-redisify==0.2.1
 django-redis-cache==0.9.7
 django-redis-sessions==0.4.0
 django-s3-folder-storage==0.1
+django-secure==1.0
 django-storages==1.1.5
 gunicorn==0.16.1
 hiredis==0.1.1