4.5. Settings Security

Append to myproject/settings.py:

>>> 
... MYPROJECT_HTTPSONLY = bool(os.getenv('MYPROJECT_HTTPSONLY', default=False))
...
... if MYPROJECT_HTTPSONLY:
...     SECURE_SSL_REDIRECT = True
...     SESSION_COOKIE_SECURE = True
...     CSRF_COOKIE_SECURE = True
...     SECURE_HSTS_SECONDS = 3600
... else:
...     SECURE_SSL_REDIRECT = False
...     SESSION_COOKIE_SECURE = False
...     CSRF_COOKIE_SECURE = False
...     SECURE_HSTS_SECONDS = 0
...
... SECURE_HSTS_INCLUDE_SUBDOMAINS = True
... SECURE_CONTENT_TYPE_NOSNIFF = True
... SECURE_BROWSER_XSS_FILTER = True
... X_FRAME_OPTIONS = 'DENY'