From a3b090216c694c6fbd648677f017404d777393db Mon Sep 17 00:00:00 2001 From: Quentin BEY Date: Tue, 13 Jan 2026 23:56:22 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7(settings)=20update=20production=20?= =?UTF-8?q?configuration=20for=20HSTS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is based on Docs project settings. --- src/backend/find/settings.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/backend/find/settings.py b/src/backend/find/settings.py index fc66a08..f330a2b 100755 --- a/src/backend/find/settings.py +++ b/src/backend/find/settings.py @@ -613,6 +613,9 @@ class Production(Base): """ # Security + # Add allowed host from environment variables. + # The machine hostname is added by default, + # it makes the application pingable by a load balancer on the same machine by example ALLOWED_HOSTS = [ *values.ListValue([], environ_name="ALLOWED_HOSTS"), gethostbyname(gethostname()), @@ -632,6 +635,14 @@ class Production(Base): # In other cases, you should comment the following line to avoid security issues. # SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") + SECURE_HSTS_SECONDS = 60 + SECURE_HSTS_PRELOAD = True + SECURE_HSTS_INCLUDE_SUBDOMAINS = True + SECURE_SSL_REDIRECT = True + SECURE_REDIRECT_EXEMPT = [ + "^__lbheartbeat__", + "^__heartbeat__", + ] # Modern browsers require to have the `secure` attribute on cookies with `Samesite=none` CSRF_COOKIE_SECURE = True @@ -648,6 +659,11 @@ class Production(Base): environ_name="REDIS_URL", environ_prefix=None, ), + "TIMEOUT": values.IntegerValue( + 30, # timeout in seconds + environ_name="CACHES_DEFAULT_TIMEOUT", + environ_prefix=None, + ), "OPTIONS": { "CLIENT_CLASS": "django_redis.client.DefaultClient", },