Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#31980 closed Bug (invalid)

manage.py check --deploy should not throw security.W004 warning if SECURE_HSTS_SECONDS is explicitly set to 0

Reported by: Magnus Longva Owned by: nobody
Component: Core (Management commands) Version: dev
Severity: Normal Keywords: check deploy
Cc: Adam Johnson Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If you run

manage.py check --deploy

on a Django project where you have explicitly set SECURE_HSTS_SECONDS = 0 in the settings file, you get a warning

?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.

This warning should only appear if you have not specified SECURE_HSTS_SECONDS anywhere.

Change History (3)

comment:1 by Mariusz Felisiak, 4 years ago

Cc: Adam Johnson added
Easy pickings: unset
Resolution: invalid
Status: newclosed

As far as I'm aware setting SECURE_HSTS_SECONDS to 0 doesn't set the HTTP Strict Transport Security header on responses, so this warning is still valid.

comment:2 by Mariusz Felisiak, 4 years ago

If you want to ignore this warning you can add it to the SILENCED_SYSTEM_CHECKS setting.

comment:3 by Adam Johnson, 4 years ago

Indeed, the middleware only sends the header if the value is truthy.

I also don't think sending a max age of 0 seconds is valid, it's essentially saying not to use HSTS.

Note: See TracTickets for help on using tickets.
Back to Top