3 Ways to HTTPS

1. Cloudflare

There are many 3rd party vendors to help you secure your domain such as Cloudflare.

Once the app's domain is pionted to Cloudflare's nameservers, it acts as a reverse proxy, a middle man between where the app is hosted and the users (clients). Intercepting requests from clients and handling the SSL/TLS encryption. They manage the HTTPS connection with the clients.

2. Host your own

One can leverage tools like Let's Encrypt + Nginx to essentially host your own server. In this scenario one is responsible for the infrastructure. One would also need to utilize a vendors virtual private cloud, potentially using AWS, GCP, Linode, or DigitalOcean. Let's Encrypt would be the method of managing SSL/TLS certs enabling the site to be served over HTTPS.

3. PaaS + Django

In this option one can leave all the scaling, maintaining servers, cert management and general backend housekeeping to a PaaS such as Google App Engine, Heroku, or PythonAnywhere. Usually HTTPS is provided automatically.

Of course, you can reinforce this in the settings.py file by enforcing HTTPS redirection and secure cookies.

Here is an example of what can be added to the settings.py:

# Auto redirect to HTTPS
SECURE_SSL_REDIRECT = True

# Enable HSTS
SECURE_HSTS_SECONDS = 31536000  # 1 year
SECURE_HSTS_INCLUDE_SUBDOMAINS = True  # Include subdomains in the HSTS policy
SECURE_HSTS_PRELOAD = True  # Allows your site to be preloaded into browser's HSTS lists

# Secure Cookies
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

# Additional security
SECURE_BROWSER_XSS_FILTER = True  # Enable browser XSS protection
X_FRAME_OPTIONS = 'DENY'  # Prevents the site from being framed (defense against clickjacking)