From c9d67c38e59056f39c0c0199902b9af431ef05ab Mon Sep 17 00:00:00 2001
From: James Williams <jamesleighwilliams@gmail.com>
Date: Sat, 28 Nov 2020 22:23:51 +0000
Subject: [PATCH] add commented out security settings if using docker

---
 .../config/settings/production.py                | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/{{cookiecutter.project_slug}}/config/settings/production.py b/{{cookiecutter.project_slug}}/config/settings/production.py
index 8c246206b..453976ad2 100644
--- a/{{cookiecutter.project_slug}}/config/settings/production.py
+++ b/{{cookiecutter.project_slug}}/config/settings/production.py
@@ -45,6 +45,22 @@ CACHES = {
 # ------------------------------------------------------------------------------
 {% if cookiecutter.use_docker -%}
 # NOTE headers are managed by the security-headers middleware in traefik.yml
+# Uncomment the following if you are not using Traefik
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-ssl-redirect
+# SECURE_SSL_REDIRECT = env.bool("DJANGO_SECURE_SSL_REDIRECT", default=True)
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-seconds
+# TODO increase this to *at least* 31536000 (1 year) once HTTPS works
+# SECURE_HSTS_SECONDS = 60
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-include-subdomains
+# SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool(
+#     "DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS", default=True
+# )
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-preload
+# SECURE_HSTS_PRELOAD = env.bool("DJANGO_SECURE_HSTS_PRELOAD", default=True)
+# https://docs.djangoproject.com/en/dev/ref/middleware/#x-content-type-options-nosniff
+# SECURE_CONTENT_TYPE_NOSNIFF = env.bool(
+#     "DJANGO_SECURE_CONTENT_TYPE_NOSNIFF", default=True
+# )
 {% else -%}
 # TODO set security headers in your load balancer if possible and remove these
 # https://docs.djangoproject.com/en/dev/ref/settings/#secure-ssl-redirect