Improve default security configuration for production environment

[sveetch]

Is your feature request related to a problem? Please describe.

We currently don't configure anything special related to security, we just let the default Django configuration and assume it is to the project maintainer to decide and implement about security

Describe the solution you'd like

We should enable the Django security middleware in the production settings.

It just needs some test for CMS edition interface and CKEditor because frontend can sometime rely on some request/response behaviors that may be blocked by some security settings (like iframe forbidding).

There is also some concerns about the settings not managed by the security middleware:

• SESSION_COOKIE_SECURE to force usage of HTTPS cookie only;
• and maybe SESSION_EXPIRE_AT_BROWSER_CLOSE for age expiration on session cookie, but some users could find this painful;
• CSRF cookie have almost the same settings also;

Describe alternatives you've considered

Just notify about the Security middleware in documentation so project maintainer is aware of it.

[sveetch]

Middleware documentation needs to be readed comprehensively by a sysadmin before so we are sure it works well on our infrastructure and so we can advise for some settings and provide some possible documentation.