I am using below settings to secure Django application with Gunicorn+NGINX
# https://docs.djangoproject.com/en/3.1/ref/settings/#allowed-hosts
ALLOWED_HOSTS = ['localhost', '127.0.0.1', 'your-django-site-domain.com']
# https://docs.djangoproject.com/en/3.1/ref/settings/#debug
DEBUG = False
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-hsts-seconds
SECURE_HSTS_SECONDS = 3600
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-hsts-preload
SECURE_HSTS_PRELOAD = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-hsts-include-subdomains
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-content-type-nosniff
SECURE_CONTENT_TYPE_NOSNIFF = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-browser-xss-filter
SECURE_BROWSER_XSS_FILTER = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#session-cookie-secure
SESSION_COOKIE_SECURE = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#csrf-cookie-secure
CSRF_COOKIE_SECURE = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#x-frame-options
X_FRAME_OPTIONS = 'DENY'
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-ssl-redirect
SECURE_SSL_REDIRECT = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-proxy-ssl-header
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
/data/kathirvel/django-env/bin/gunicorn django_app_name.wsgi --workers=2 --bind=127.0.0.1:8004 --timeout=1000000
server {
listen 80;
server_name your-site-domain.com;
return 301 https://your-site-domain.com;
client_max_body_size 1024M;
}
server {
listen 443 ssl default_server;
ssl on;
ssl_certificate /ssl/your-site-domain.com.cer;
ssl_certificate_key /ssl/your-site-domain.com.key;
# substitute by your FQDN and machine's IP address
server_name your-site-domain.com;
client_max_body_size 1024M;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 100000000;
}
}