Code

Opened 2 years ago

Last modified 3 months ago

#17103 new New feature

Add HTTP Strict Transport Security support, to improve support for all-SSL sites

Reported by: carljm Owned by: nobody
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: zborboa@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Since you pretty much shouldn't do anything with sessions or logins on a public site without SSL, I think a solid majority of public Django sites probably ought to be all-SSL. Given this, I think Django core should provide good support for all-SSL sites out of the box.

HSTS (HTTP Strict Transport Security) is an HTTP response header that allows a site to tell a browser to only ever access it over HTTPS. This avoids the need for redirect-to-SSL on repeat visits and reduces exposure to various types of attacks.

There is an existing implementation of HSTS in django-secure.

Attachments (0)

Change History (2)

comment:1 Changed 2 years ago by aaugustin

  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 3 months ago by zborboa@…

  • Cc zborboa@… added

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from nobody to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.