diff options
| author | Ed Morley <emorley@mozilla.com> | 2016-07-28 17:48:07 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-08-10 20:23:54 -0400 |
| commit | 3c2447dd13e495d57700ca8447896acd85044444 (patch) | |
| tree | 26ad18a7df9ff5b0d9e35723164baa4587747e4b /docs/ref | |
| parent | c412aaca735c7cc1c766b85c1512f9ff434ce63a (diff) | |
Fixed #26947 -- Added an option to enable the HSTS header preload directive.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/middleware.txt | 6 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 20 |
2 files changed, 26 insertions, 0 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index cee18ea058..8334c44216 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -226,6 +226,7 @@ enabled or disabled with a setting. * :setting:`SECURE_BROWSER_XSS_FILTER` * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` +* :setting:`SECURE_HSTS_PRELOAD` * :setting:`SECURE_HSTS_SECONDS` * :setting:`SECURE_REDIRECT_EXEMPT` * :setting:`SECURE_SSL_HOST` @@ -260,6 +261,10 @@ to the ``Strict-Transport-Security`` header. This is recommended (assuming all subdomains are served exclusively using HTTPS), otherwise your site may still be vulnerable via an insecure connection to a subdomain. +If you wish to submit your site to the `browser preload list`_, set the +:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. That appends the +``preload`` directive to the ``Strict-Transport-Security`` header. + .. warning:: The HSTS policy applies to your entire domain, not just the URL of the response that you set the header on. Therefore, you should only use it if @@ -277,6 +282,7 @@ be vulnerable via an insecure connection to a subdomain. you may need to set the :setting:`SECURE_PROXY_SSL_HEADER` setting. .. _"Strict-Transport-Security" header: https://en.wikipedia.org/wiki/Strict_Transport_Security +.. _browser preload list: https://hstspreload.appspot.com/ .. _x-content-type-options: diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 9e0d8b8d41..445e504e98 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2062,6 +2062,25 @@ non-zero value. :setting:`SECURE_HSTS_SECONDS`) break your site. Read the :ref:`http-strict-transport-security` documentation first. +.. setting:: SECURE_HSTS_PRELOAD + +``SECURE_HSTS_PRELOAD`` +----------------------- + +.. versionadded:: 1.11 + +Default: ``False`` + +If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` adds +the ``preload`` directive to the :ref:`http-strict-transport-security` +header. It has no effect unless :setting:`SECURE_HSTS_SECONDS` is set to a +non-zero value. + +.. warning:: + Setting this incorrectly can irreversibly (for at least several months, + depending on browser releases) break your site. Read the + :ref:`http-strict-transport-security` documentation first. + .. setting:: SECURE_HSTS_SECONDS ``SECURE_HSTS_SECONDS`` @@ -3334,6 +3353,7 @@ HTTP * :setting:`SECURE_BROWSER_XSS_FILTER` * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` + * :setting:`SECURE_HSTS_PRELOAD` * :setting:`SECURE_HSTS_SECONDS` * :setting:`SECURE_PROXY_SSL_HEADER` * :setting:`SECURE_REDIRECT_EXEMPT` |
