Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Django secure settings
# https://docs.djangoproject.com/en/2.0/ref/settings/
# https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-cookie-httponly
# Ensure malicious script cannot access CSRF cookie
CSRF_COOKIE_HTTPONLY = True
# https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-use-sessions
# Using session is safer than cookie as the former is server-side storage whilst the former is client-side stoage
CSRF_USE_SESSIONS = True
# https://docs.djangoproject.com/en/2.0/ref/settings/#email-use-tls
# Ensure the application being stick only to secure channel for email communication
EMAIL_USE_TLS = True
# https://docs.djangoproject.com/en/2.0/ref/settings/#secure-browser-xss-filter
# Provide protections against XSS
SECURE_BROWSER_XSS_FILTER = True
# https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECURE_CONTENT_TYPE_NOSNIFF
# Provide protections against XSS in Internet Explorer browser
SECURE_CONTENT_TYPE_NOSNIFF = True
# https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECURE_SSL_REDIRECT
# Ensure the application being stick only to secure channel to and from user to the application server
SECURE_SSL_REDIRECT = True
# https://docs.djangoproject.com/en/2.0/ref/settings/#session-cookie-secure
# Ensure the application session cookie has 'secure' flag to prevent side-jacking attack
SESSION_COOKIE_SECURE = True
# https://docs.djangoproject.com/en/2.0/ref/settings/#session-expire-at-browser-close
# Ensure the application session expired automatically when users close the browser without logging out.
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment