HTTP Strict Transport Security (HSTS)
When this is configured, this wil ensure that browsers only connect to one's website via https.
Here are 3 examples to do so.
Djangos built-in HSTS Settings
Django's settings.py can be configured the following way to enable HSTS for production.
# Enable HSTS in Django
SECURE_HSTS_SECONDS = 15552000 # Set max-age for HSTS, here it's 6 months (in seconds)
SECURE_HSTS_INCLUDE_SUBDOMAINS = True # Apply HSTS to all subdomains
SECURE_HSTS_PRELOAD = True # Enable HSTS Preloading (Researach before applying! Optional)
This is what I have learned that each of these settings does:
SECURE_HSTS_SECONDS: This sets the max age of 15552000 seconds (6 months) of the HSTS header 1 year can also be set if one wanted (31536000).
SECURE_HSTS_INCLUDE_SUBDOMAINS: When this config is set to True HSTS will be applied to the site's subdomains as well.
Secure_HSTS_PRELOAD: This optional 3rd config when set to True will add the domain to the browsers HSTS preload list. Enforcing HSTS across the web.
Before applying this config, educate yourself here.
HSTS with Cloudflare
If one has configured their domain with Cloudflare it is pretty straight forward click ops to set this up.
- Log into Cloudflare.
- Go to your domain's settings and on the left pane navigat to SSL/TLS > Edge Certificates.
- Scroll down to HSTS section and enable.
- Configure HSTS
- Max age: 6 months or 1 year.
- Include subdomains
- Again, one can cofigure preload but do this with caution. Educate yourself here.
Self Managed server w/ Nginx
server {
listen 443 ssl;
# Additions server settings
...
# HSTS header
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
}
Similar to the instruction above for the other methods, max-age will tell the browser how long to connect over https for.
includeSubDomains will also apply HSTS to all subdomains.
preload Only do this after educating yourself here.
Remember: Restart the webserver to apply changes!