snvc00
commented
3 years ago Configurations Required in Deployment Environments
The settings.py file will be modified to get the values from the environment variables instead of reading the secrets.json, using a .env file with the key=value format helps docker to get this variables as a command argument during the docker run, this change will also help in Kubernetes and Docker Compose environments.
Web Application Security
With security purposes, make sure to add this environment variables in the .env file to allow cookies and navigation just over HTTPS.
DEBUG=0
SESSION_COOKIE_SECURE=1
CSRF_COOKIE_SECURE=1
SECURE_SSL_REDIRECT=1
SECURE_HSTS_PRELOAD=1
SECURE_HSTS_SECONDS=3600According to the Django Security Middleware these configurations should be considered in the settings.py file depending on the structure of the application:
SECURE_BROWSER_XSS_FILTER
SECURE_CONTENT_TYPE_NOSNIFF
SECURE_HSTS_INCLUDE_SUBDOMAINS
SECURE_REDIRECT_EXEMPT
SECURE_REFERRER_POLICY
SECURE_SSL_HOSTDocumentation link https://docs.djangoproject.com/en/3.1/ref/middleware/#module-django.middleware.security
Still in progress. HTTPS security - pending