vi4hu/settings.py

## settings.py
# you can check all the security checks by running
# python manage.py check --deploy

# set debug to false
DEBUG = false #True by default

# set allowed host
ALLOWED_HOSTS = ["your website url"] # you can only access the application via these hosts

# A tuple representing a HTTP header/value combination that signifies a request is secure. This controls the behavior of the request object’s is_secure() method.
# By default, is_secure() determines if a request is secure by confirming that a requested URL uses https://. This method is important for Django’s CSRF protection, and it may be used by your own code or third-party apps
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") # default: none

# redirects all non-HTTPS requests to HTTPS
SECURE_SSL_REDIRECT = True # default: False

# the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection.
SESSION_COOKIE_SECURE = True # False by default

# the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent with an HTTPS connection.
CSRF_COOKIE_SECURE = True # False by default

# sets the HTTP Strict Transport Security header on all responses that do not already have it.
SECURE_HSTS_SECONDS = 15768090  # 0 by default. set low, but when site is ready for deployment, set to at least 15768000 (6 months)

# adds the includeSubDomains directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
SECURE_HSTS_INCLUDE_SUBDOMAINS = True # False by default

# adds the preload directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
SECURE_HSTS_PRELOAD = True # False by default

# sets the X-XSS-Protection: 1; mode=block header on all responses that do not already have it.
# Modern browsers don’t honor X-XSS-Protection HTTP header anymore. Although the setting offers little practical benefit, you may still want to set the header if you support older browsers.
SECURE_BROWSER_XSS_FILTER = True

# visit https://docs.djangoproject.com/en/3.1/ref/settings/ for more details
	# you can check all the security checks by running
	# python manage.py check --deploy

	# set debug to false
	DEBUG = false #True by default

	# set allowed host
	ALLOWED_HOSTS = ["your website url"] # you can only access the application via these hosts

	# A tuple representing a HTTP header/value combination that signifies a request is secure. This controls the behavior of the request object’s is_secure() method.
	# By default, is_secure() determines if a request is secure by confirming that a requested URL uses https://. This method is important for Django’s CSRF protection, and it may be used by your own code or third-party apps
	SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") # default: none

	# redirects all non-HTTPS requests to HTTPS
	SECURE_SSL_REDIRECT = True # default: False

	# the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection.
	SESSION_COOKIE_SECURE = True # False by default

	# the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent with an HTTPS connection.
	CSRF_COOKIE_SECURE = True # False by default

	# sets the HTTP Strict Transport Security header on all responses that do not already have it.
	SECURE_HSTS_SECONDS = 15768090 # 0 by default. set low, but when site is ready for deployment, set to at least 15768000 (6 months)

	# adds the includeSubDomains directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
	SECURE_HSTS_INCLUDE_SUBDOMAINS = True # False by default

	# adds the preload directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
	SECURE_HSTS_PRELOAD = True # False by default

	# sets the X-XSS-Protection: 1; mode=block header on all responses that do not already have it.
	# Modern browsers don’t honor X-XSS-Protection HTTP header anymore. Although the setting offers little practical benefit, you may still want to set the header if you support older browsers.
	SECURE_BROWSER_XSS_FILTER = True

	# visit https://docs.djangoproject.com/en/3.1/ref/settings/ for more details