Two additions to the deployment checklist.

Thanks Erik Romijn.
author: Aymeric Augustin <aymeric.augustin@m4x.org> 2013-03-17 19:29:22 +0100
committer: Aymeric Augustin <aymeric.augustin@m4x.org> 2013-03-17 19:29:22 +0100
commit: c94db53eaa9b344f9227fa4dff2b1a5e9c7dce9d (patch)
tree: 5e915d3814d8a59195a2d8ea126f1cef2319f599 /docs/howto
parent: 912b5d2a6bc78067d6a7e130f10514c51bd1a58f (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/docs/howto/deployment/checklist.txt b/docs/howto/deployment/checklist.txt
index 53b257ae20..72c15b7807 100644
--- a/docs/howto/deployment/checklist.txt
+++ b/docs/howto/deployment/checklist.txt
@@ -93,6 +93,9 @@ connections from your application servers.
 Database connection parameters are probably different in development and in
 production.
 
+Database passwords are very sensitive. You should protect them exactly like
+:setting:`SECRET_KEY`.
+
 For maximum security, make sure database servers only accept connections from
 your application servers.
 
@@ -130,7 +133,9 @@ the login/password, the session cookie, and password reset tokens. (You can't
 do much to protect password reset tokens if you're sending them by email.)
 
 Protecting sensitive areas such as the user account or the admin isn't
-sufficient, because the same session cookie is used for HTTP and HTTPS.
+sufficient, because the same session cookie is used for HTTP and HTTPS. Your
+web server must redirect all HTTP traffic to HTTPS, and only transmit HTTPS
+requests to Django.
 
 Once you've set up HTTPS, enable the following settings.
author	Aymeric Augustin <aymeric.augustin@m4x.org>	2013-03-17 19:29:22 +0100
committer	Aymeric Augustin <aymeric.augustin@m4x.org>	2013-03-17 19:29:22 +0100
commit	c94db53eaa9b344f9227fa4dff2b1a5e9c7dce9d (patch)
tree	5e915d3814d8a59195a2d8ea126f1cef2319f599 /docs/howto
parent	912b5d2a6bc78067d6a7e130f10514c51bd1a58f (diff)