yehgdotnet/settings.py

## settings.py
# https://docs.djangoproject.com/en/2.0/ref/settings/

# https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-cookie-httponly
# Ensure malicious script cannot access CSRF cookie
CSRF_COOKIE_HTTPONLY = True

# https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-use-sessions
#  Using session is safer than cookie as the former is server-side storage whilst the former is client-side stoage
CSRF_USE_SESSIONS = True

# https://docs.djangoproject.com/en/2.0/ref/settings/#email-use-tls
# Ensure the application being stick only to secure channel for email communication
EMAIL_USE_TLS = True

# https://docs.djangoproject.com/en/2.0/ref/settings/#secure-browser-xss-filter
# Provide protections against XSS
SECURE_BROWSER_XSS_FILTER = True

# https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECURE_CONTENT_TYPE_NOSNIFF
# Provide protections against XSS in Internet Explorer browser
SECURE_CONTENT_TYPE_NOSNIFF = True

# https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECURE_SSL_REDIRECT
# Ensure the application being stick only to secure channel to and from user to the application server
SECURE_SSL_REDIRECT = True

# https://docs.djangoproject.com/en/2.0/ref/settings/#session-cookie-secure
# Ensure the application session cookie has 'secure' flag to prevent side-jacking attack
SESSION_COOKIE_SECURE = True

# https://docs.djangoproject.com/en/2.0/ref/settings/#session-expire-at-browser-close
# Ensure the application session expired automatically when users close the browser without logging out.
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

# https://docs.djangoproject.com/en/2.2/ref/settings/#secure-ssl-redirect
SECURE_SSL_REDIRECT = True
	# https://docs.djangoproject.com/en/2.0/ref/settings/

	# https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-cookie-httponly
	# Ensure malicious script cannot access CSRF cookie
	CSRF_COOKIE_HTTPONLY = True

	# https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-use-sessions
	# Using session is safer than cookie as the former is server-side storage whilst the former is client-side stoage
	CSRF_USE_SESSIONS = True

	# https://docs.djangoproject.com/en/2.0/ref/settings/#email-use-tls
	# Ensure the application being stick only to secure channel for email communication
	EMAIL_USE_TLS = True

	# https://docs.djangoproject.com/en/2.0/ref/settings/#secure-browser-xss-filter
	# Provide protections against XSS
	SECURE_BROWSER_XSS_FILTER = True

	# https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECURE_CONTENT_TYPE_NOSNIFF
	# Provide protections against XSS in Internet Explorer browser
	SECURE_CONTENT_TYPE_NOSNIFF = True

	# https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECURE_SSL_REDIRECT
	# Ensure the application being stick only to secure channel to and from user to the application server
	SECURE_SSL_REDIRECT = True

	# https://docs.djangoproject.com/en/2.0/ref/settings/#session-cookie-secure
	# Ensure the application session cookie has 'secure' flag to prevent side-jacking attack
	SESSION_COOKIE_SECURE = True

	# https://docs.djangoproject.com/en/2.0/ref/settings/#session-expire-at-browser-close
	# Ensure the application session expired automatically when users close the browser without logging out.
	SESSION_EXPIRE_AT_BROWSER_CLOSE = True

	# https://docs.djangoproject.com/en/2.2/ref/settings/#secure-ssl-redirect
	SECURE_SSL_REDIRECT = True