Professional Documents
Culture Documents
Browser Security Headers
Browser Security Headers
In settings.py:
Add middleware:
django.middleware.security.SecurityMiddleware
django.middleware.clickjacking.XFrameOptionsMiddleware # as high as
possible in middleware section
SECURE_BROWSER_XSS_FILTER = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = 'DENY'
SECURE_REFERRER_POLICY = same-origin
====================================================
Used in Jubilee
==
SECURE_SSL_HOST = True
# SECURE_SSL_REDIRECT = True # redirect all http requests to https
# HSTS setting also done in Azure App service: Settings > Custom Domains
> HTTPS Only
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO',
'https')
SECURE_HSTS_SECONDS = 2592000 # set to 1 week
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
X_FRAME_OPTIONS = 'DENY'
SECURE_REFERRER_POLICY = 'same-origin'
CSP_DEFAULT_SRC = ("'self'",
"https://illustrationstorage1.blob.core.windows.net/")
CSP_FONT_SRC = ("'self'",
"https://illustrationstorage1.blob.core.windows.net/", "https://use.fontawesome.com/")
PERMISSIONS_POLICY = {
"accelerometer": [],
"gyroscope": [],
"magnetometer": [],
"microphone": [],
"usb": [],
}
====================================================
Resources:
https://adamj.eu/tech/2019/04/10/how-to-score-a+-for-security-headers-on-your-django-
website/
https://docs.djangoproject.com/en/dev/ref/middleware/
#django.middleware.security.SecurityMiddleware