From f1d6b5b5b1c8a3461e7bb90760531cf5725b59be Mon Sep 17 00:00:00 2001 From: David Sanders Date: Fri, 4 Sep 2015 23:19:27 +1000 Subject: [PATCH] [1.8.x] Added links to new security settings introduced in 1.8. Backport of cc968b9c9046769ddce574b0fc0ce4f525f25843 from master --- docs/topics/security.txt | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index b080979812..62be131145 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -134,12 +134,12 @@ server, there are some additional steps you may need: in CSRF vulnerabilities, and failure to do it correctly can also be dangerous! -* Set up redirection so that requests over HTTP are redirected to HTTPS. +* Set :setting:`SECURE_SSL_REDIRECT` to ``True``, so that requests over HTTP + are redirected to HTTPS. - This could be done using a custom middleware. Please note the caveats under - :setting:`SECURE_PROXY_SSL_HEADER`. For the case of a reverse proxy, it may be - easier or more secure to configure the main Web server to do the redirect to - HTTPS. + Please note the caveats under :setting:`SECURE_PROXY_SSL_HEADER`. For the + case of a reverse proxy, it may be easier or more secure to configure the + main Web server to do the redirect to HTTPS. * Use 'secure' cookies. @@ -152,13 +152,14 @@ server, there are some additional steps you may need: any POST data being accepted over HTTP (which will be fine if you are redirecting all HTTP traffic to HTTPS). -* Use HTTP Strict Transport Security (HSTS) +* Use :ref:`http-strict-transport-security` (HSTS) HSTS is an HTTP header that informs a browser that all future connections to a particular site should always use HTTPS. Combined with redirecting requests over HTTP to HTTPS, this will ensure that connections always enjoy the added security of SSL provided one successful connection has occurred. - HSTS is usually configured on the web server. + HSTS may either be configured with :setting:`SECURE_HSTS_SECONDS` and + :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` or on the Web server. .. _host-headers-virtual-hosting: