Opened 13 years ago
Closed 10 years ago
#17103 closed New feature (fixed)
Add HTTP Strict Transport Security support, to improve support for all-SSL sites
| Reported by: | Carl Meyer | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | zborboa@… | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Since you pretty much shouldn't do anything with sessions or logins on a public site without SSL, I think a solid majority of public Django sites probably ought to be all-SSL. Given this, I think Django core should provide good support for all-SSL sites out of the box.
HSTS (HTTP Strict Transport Security) is an HTTP response header that allows a site to tell a browser to only ever access it over HTTPS. This avoids the need for redirect-to-SSL on repeat visits and reduces exposure to various types of attacks.
There is an existing implementation of HSTS in django-secure.
Change History (4)
comment:1 by , 13 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 11 years ago
| Cc: | added |
|---|
comment:3 by , 10 years ago
comment:4 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
This was fixed in 52ef6a47269a455113d95992f868939131f9c10c as part of #17101.