Add settings required by SecurityMiddleware

also remove django-secure in prod settings
2024-11-26 11:34:00 +03:00 · 2016-06-03 12:29:20 -07:00 · 2016-06-03 12:29:20 -07:00 · 54575f02de
commit 54575f02de
parent 0fa5261f4a
1 changed files with 9 additions and 3 deletions
--- a/{{cookiecutter.project_slug}}/config/settings/production.py
+++ b/{{cookiecutter.project_slug}}/config/settings/production.py
@ -33,9 +33,6 @@ SECRET_KEY = env('DJANGO_SECRET_KEY')
 # properly on Heroku.
 SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

-# django-secure
-# ------------------------------------------------------------------------------
-INSTALLED_APPS += ('djangosecure', )
 {% if cookiecutter.use_sentry == 'y' -%}
 # raven sentry client
 # See https://docs.getsentry.com/hosted/clients/python/integrations/django/
@ -71,6 +68,12 @@ MIDDLEWARE_CLASSES = (
    'opbeat.contrib.django.middleware.OpbeatAPMMiddleware',
 ) + MIDDLEWARE_CLASSES
 {%- endif %}
+
+# SECURITY CONFIGURATION
+# ------------------------------------------------------------------------------
+# See https://docs.djangoproject.com/en/1.9/ref/middleware/#module-django.middleware.security
+# and https://docs.djangoproject.com/ja/1.9/howto/deployment/checklist/#run-manage-py-check-deploy
+
 # set this to 60 seconds and then to 518400 when you can prove it works
 SECURE_HSTS_SECONDS = 60
 SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool(
@ -78,11 +81,14 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool(
 SECURE_CONTENT_TYPE_NOSNIFF = env.bool(
    'DJANGO_SECURE_CONTENT_TYPE_NOSNIFF', default=True)
 SECURE_BROWSER_XSS_FILTER = True
+
 SESSION_COOKIE_SECURE = True
 SESSION_COOKIE_HTTPONLY = True
+
 SECURE_SSL_REDIRECT = env.bool('DJANGO_SECURE_SSL_REDIRECT', default=True)
 CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_HTTPONLY = True
+
 X_FRAME_OPTIONS = 'DENY'

 # SITE CONFIGURATION