Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#26947 closed New feature (fixed)

Support appending the 'preload' directive to the HSTS header

Reported by: Ed Morley Owned by: Ed Morley
Component: HTTP handling Version: dev
Severity: Normal Keywords: hsts preload
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django currently supports enabling the Strict-Transport-Security header, including specifying whether the includeSubDomains directive should be included within it:
https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-SECURE_HSTS_SECONDS
https://docs.djangoproject.com/en/1.9/ref/settings/#secure-hsts-include-subdomains

However there is currently no way to append the preload directive to that header, which is required to indicate that the site owner consents to the HSTS header being added to browser's pre-loaded list of sites that should only be accessed over HTTPS:
https://hstspreload.appspot.com/
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security#Preloading_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet#Examples

I propose the addition of a new preference named SECURE_HSTS_PRELOAD that enables the directive, and behaves in a similar manner to defining SECURE_HSTS_INCLUDE_SUBDOMAINS.

I'll open a PR shortly :-)

Change History (4)

comment:1 by Tim Graham, 8 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Ed Morley, 8 years ago

Has patch: set
Status: newassigned

PR opened. I've also submitted a CLA.

comment:3 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 3c2447dd:

Fixed #26947 -- Added an option to enable the HSTS header preload directive.

comment:4 by Tim Graham <timograham@…>, 8 years ago

In 7399fee6:

Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD.

Note: See TracTickets for help on using tickets.
Back to Top