konklone
commented
9 years ago (Also, the HSTS header will only be sent once the app is set into production mode, which is #617.)
Closed konklone closed 9 years ago
konklone
commented
9 years ago (Also, the HSTS header will only be sent once the app is set into production mode, which is #617.)
konklone
commented
9 years ago Now that #658 is deployed, and production mode is enabled from #617, HTTPS is forced and HSTS is present.
HTTPS redirect:
$ curl --head http://open.foia.gov
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Date: Tue, 24 Mar 2015 19:29:00 GMT
Location: https://open.foia.gov/
Server: waitress
X-Cf-Requestid: 3c21299a-6244-42e9-64e2-ded16cfa057e
X-Frame-Options: SAMEORIGIN
Connection: keep-aliveAnd HSTS:
$ curl --head https://open.foia.gov
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 24 Mar 2015 19:27:16 GMT
Server: waitress
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Cf-Requestid: 378e15b8-fc0b-46ec-5f2f-a7684f174005
X-Frame-Options: SAMEORIGIN
Connection: keep-alive(My box has /etc/hosts modified to make the open.foia.gov route work.)
After HTTPS is up with our official cert, enable HSTS using
django-secure. HTTPS and a redirect should already be present at that time.