Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Setting SECURE_HSTS_SECONDS can irreversibly break your site?

Tags:

python

django

I'm wanting to implement SECURE_HSTS_SECONDS to my Django settings for extra security - however the warning from the Django docs is making me abit scared so I want some clarification. Here is what is says:

SECURE_HSTS_SECONDS

Default: 0

If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security header on all responses that do not already have it.

Warning: Setting this incorrectly can irreversibly (for some time) break your site. Read the HTTP Strict Transport Security documentation first.

What has to happen for it to "break my site"? I read the HTTP Strict Transport Security documentation first and it didn't make it any clearer.

like image 865
Zorgan Avatar asked Mar 08 '18 06:03

Zorgan


People also ask

What is Secure_hsts_seconds?

SECURE_HSTS_SECONDS. If set to a non-zero integer value, causes SecurityMiddleware to set the HTTP Strict Transport Security header on all responses that do not already have that header.

What is the typical function of settings py in Django web development?

settings.py contains all the website settings, including registering any applications we create, the location of our static files, database configuration details, etc.

When Allowed_hosts configuration is empty host is validated against?

When DEBUG is True and ALLOWED_HOSTS is empty, the host is validated against ['.localhost', '127.0.0.1', '[::1]'] . ALLOWED_HOSTS is also checked when running tests.

How do I change Django settings to false?

Open your settings.py file (or settings_local.py ) and set DEBUG = False (just add that line if necessary). Turning off the Django debug mode will: Suppress the verbose Django error messages in favor of a standard 404 or 500 error page. You will now find Django error messages printed in your arches.


1 Answers

HTTP Strict Transport Security

HTTP Strict Transport Security lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. It consists in one HTTP header, Strict-Transport-Security, sent back by the server with the resource.

In other words, if you set the value of SECURE_HSTS_SECONDS to e.g. 518400 (6 days) your web server will inform your client's browser the first time he visits your site to exclusively access your website over https in the future. This applies to the entire defined period. If for any reason you no longer provide access to your website over https the browser couldn't access your services anymore.

Therefore, you should initially set this variable to a low value of like 60s and make sure that everything works as expected, otherwise you could prevent yourself and your client from visiting your site.

Browsers properly respecting the HSTS header will refuse to allow users to bypass warnings and connect to a site with an expired, self-signed, or otherwise invalid SSL certificate. If you use HSTS, make sure your certificates are in good shape and stay that way! Source

like image 62
Yannic Hamann Avatar answered Sep 20 '22 04:09

Yannic Hamann