#26947 closed New feature (fixed)
Support appending the 'preload' directive to the HSTS header
Reported by: | Ed Morley | Owned by: | Ed Morley |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Normal | Keywords: | hsts preload |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Django currently supports enabling the Strict-Transport-Security
header, including specifying whether the includeSubDomains
directive should be included within it:
https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-SECURE_HSTS_SECONDS
https://docs.djangoproject.com/en/1.9/ref/settings/#secure-hsts-include-subdomains
However there is currently no way to append the preload
directive to that header, which is required to indicate that the site owner consents to the HSTS header being added to browser's pre-loaded list of sites that should only be accessed over HTTPS:
https://hstspreload.appspot.com/
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security#Preloading_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet#Examples
I propose the addition of a new preference named SECURE_HSTS_PRELOAD
that enables the directive, and behaves in a similar manner to defining SECURE_HSTS_INCLUDE_SUBDOMAINS
.
I'll open a PR shortly :-)
Change History (4)
comment:1 by , 8 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 8 years ago
Has patch: | set |
---|---|
Status: | new → assigned |
PR opened. I've also submitted a CLA.