diff --git a/{{cookiecutter.project_slug}}/config/settings/production.py b/{{cookiecutter.project_slug}}/config/settings/production.py index 7ba483132b..4f45a939bb 100644 --- a/{{cookiecutter.project_slug}}/config/settings/production.py +++ b/{{cookiecutter.project_slug}}/config/settings/production.py @@ -44,6 +44,22 @@ # ------------------------------------------------------------------------------ {% if cookiecutter.use_docker -%} # NOTE headers are managed by the security-headers middleware in traefik.yml +# Uncomment the following if you are not using Traefik +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-ssl-redirect +# SECURE_SSL_REDIRECT = env.bool("DJANGO_SECURE_SSL_REDIRECT", default=True) +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-seconds +# TODO increase this to *at least* 31536000 (1 year) once HTTPS works +# SECURE_HSTS_SECONDS = 60 +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-include-subdomains +# SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool( +# "DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS", default=True +# ) +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-preload +# SECURE_HSTS_PRELOAD = env.bool("DJANGO_SECURE_HSTS_PRELOAD", default=True) +# https://docs.djangoproject.com/en/dev/ref/middleware/#x-content-type-options-nosniff +# SECURE_CONTENT_TYPE_NOSNIFF = env.bool( +# "DJANGO_SECURE_CONTENT_TYPE_NOSNIFF", default=True +# ) {% else -%} # TODO set security headers in your load balancer if possible and remove these # https://docs.djangoproject.com/en/dev/ref/settings/#secure-ssl-redirect