#26947 closed New feature (fixed)
Support appending the 'preload' directive to the HSTS header
| Reported by: | Ed Morley | Owned by: | Ed Morley |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | hsts preload |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Django currently supports enabling the Strict-Transport-Security header, including specifying whether the includeSubDomains directive should be included within it:
https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-SECURE_HSTS_SECONDS
https://docs.djangoproject.com/en/1.9/ref/settings/#secure-hsts-include-subdomains
However there is currently no way to append the preload directive to that header, which is required to indicate that the site owner consents to the HSTS header being added to browser's pre-loaded list of sites that should only be accessed over HTTPS:
https://hstspreload.appspot.com/
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security#Preloading_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet#Examples
I propose the addition of a new preference named SECURE_HSTS_PRELOAD that enables the directive, and behaves in a similar manner to defining SECURE_HSTS_INCLUDE_SUBDOMAINS.
I'll open a PR shortly :-)
Change History (4)
comment:1 by , 8 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 8 years ago
| Has patch: | set |
|---|---|
| Status: | new → assigned |
PR opened. I've also submitted a CLA.