HTTPS and HSTS on Apache/mod_wsgi and Django

孤人 提交于 2019-12-05 22:50:34

It's been a while since you've asked the question. Anyway, I faced similar doubts. The documentation is ambiguous whether we should enable HSTS at the app level or on a web server:

HSTS may either be configured with SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD, or on the Web server.

The deployment checklist (manage.py check --deploy) suggests to set SECURE_HSTS_SECONDS on production.

On the other hand, Django book states:

HSTS is usually configured on the web server.

Considering security, both server set up and django middleware do the same thing. They set up "Strict-Transport-Security" in response Header. I believe that web servers have a better performance than django middleware, though I haven't tested it.

Also, Two Scoops of Django suggests that it is better to put HTTPS redirects settings to a web server:

Performance-wise, it’s better to do this at the web server level (p. 347)

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!