Add HTTP Strict Transport Security support, to improve support for all-SSL sites
|Reported by:||Carl Meyer||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Since you pretty much shouldn't do anything with sessions or logins on a public site without SSL, I think a solid majority of public Django sites probably ought to be all-SSL. Given this, I think Django core should provide good support for all-SSL sites out of the box.
HSTS (HTTP Strict Transport Security) is an HTTP response header that allows a site to tell a browser to only ever access it over HTTPS. This avoids the need for redirect-to-SSL on repeat visits and reduces exposure to various types of attacks.
There is an existing implementation of HSTS in django-secure.