summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorEd Morley <emorley@mozilla.com>2016-07-28 17:48:07 +0100
committerTim Graham <timograham@gmail.com>2016-08-10 20:23:54 -0400
commit3c2447dd13e495d57700ca8447896acd85044444 (patch)
tree26ad18a7df9ff5b0d9e35723164baa4587747e4b /docs/ref
parentc412aaca735c7cc1c766b85c1512f9ff434ce63a (diff)
Fixed #26947 -- Added an option to enable the HSTS header preload directive.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/middleware.txt6
-rw-r--r--docs/ref/settings.txt20
2 files changed, 26 insertions, 0 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index cee18ea058..8334c44216 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -226,6 +226,7 @@ enabled or disabled with a setting.
* :setting:`SECURE_BROWSER_XSS_FILTER`
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
+* :setting:`SECURE_HSTS_PRELOAD`
* :setting:`SECURE_HSTS_SECONDS`
* :setting:`SECURE_REDIRECT_EXEMPT`
* :setting:`SECURE_SSL_HOST`
@@ -260,6 +261,10 @@ to the ``Strict-Transport-Security`` header. This is recommended (assuming all
subdomains are served exclusively using HTTPS), otherwise your site may still
be vulnerable via an insecure connection to a subdomain.
+If you wish to submit your site to the `browser preload list`_, set the
+:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. That appends the
+``preload`` directive to the ``Strict-Transport-Security`` header.
+
.. warning::
The HSTS policy applies to your entire domain, not just the URL of the
response that you set the header on. Therefore, you should only use it if
@@ -277,6 +282,7 @@ be vulnerable via an insecure connection to a subdomain.
you may need to set the :setting:`SECURE_PROXY_SSL_HEADER` setting.
.. _"Strict-Transport-Security" header: https://en.wikipedia.org/wiki/Strict_Transport_Security
+.. _browser preload list: https://hstspreload.appspot.com/
.. _x-content-type-options:
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 9e0d8b8d41..445e504e98 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2062,6 +2062,25 @@ non-zero value.
:setting:`SECURE_HSTS_SECONDS`) break your site. Read the
:ref:`http-strict-transport-security` documentation first.
+.. setting:: SECURE_HSTS_PRELOAD
+
+``SECURE_HSTS_PRELOAD``
+-----------------------
+
+.. versionadded:: 1.11
+
+Default: ``False``
+
+If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` adds
+the ``preload`` directive to the :ref:`http-strict-transport-security`
+header. It has no effect unless :setting:`SECURE_HSTS_SECONDS` is set to a
+non-zero value.
+
+.. warning::
+ Setting this incorrectly can irreversibly (for at least several months,
+ depending on browser releases) break your site. Read the
+ :ref:`http-strict-transport-security` documentation first.
+
.. setting:: SECURE_HSTS_SECONDS
``SECURE_HSTS_SECONDS``
@@ -3334,6 +3353,7 @@ HTTP
* :setting:`SECURE_BROWSER_XSS_FILTER`
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
+ * :setting:`SECURE_HSTS_PRELOAD`
* :setting:`SECURE_HSTS_SECONDS`
* :setting:`SECURE_PROXY_SSL_HEADER`
* :setting:`SECURE_REDIRECT_EXEMPT`