vi4hu · June 28, 2022 12:13
diff --git a/settings.py b/settings.py
 # you can check all the security checks by running
 # python manage.py check --deploy

 # set debug to false
 DEBUG = false #True by default

 # set allowed host
 ALLOWED_HOSTS = ["your website url"] # you can only access the application via these hosts

 # A tuple representing a HTTP header/value combination that signifies a request is secure. This controls the behavior of the request object’s is_secure() method.
 # By default, is_secure() determines if a request is secure by confirming that a requested URL uses https://. This method is important for Django’s CSRF protection, and it may be used by your own code or third-party apps
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") # default: none

 # redirects all non-HTTPS requests to HTTPS
 SECURE_SSL_REDIRECT = True # default: False

 # the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection.
 SESSION_COOKIE_SECURE = True # False by default

 # the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent with an HTTPS connection.
 CSRF_COOKIE_SECURE = True # False by default

 # sets the HTTP Strict Transport Security header on all responses that do not already have it.
 SECURE_HSTS_SECONDS = 15768090  # 0 by default. set low, but when site is ready for deployment, set to at least 15768000 (6 months)

 # adds the includeSubDomains directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
 SECURE_HSTS_INCLUDE_SUBDOMAINS = True # False by default

 # adds the preload directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
 SECURE_HSTS_PRELOAD = True # False by default

 # sets the X-XSS-Protection: 1; mode=block header on all responses that do not already have it.
 # Modern browsers don’t honor X-XSS-Protection HTTP header anymore. Although the setting offers little practical benefit, you may still want to set the header if you support older browsers.
 SECURE_BROWSER_XSS_FILTER = True

 # visit https://docs.djangoproject.com/en/3.1/ref/settings/ for more details
	# you can check all the security checks by running
	# python manage.py check --deploy

	# set debug to false
	DEBUG = false #True by default

	# set allowed host
	ALLOWED_HOSTS = ["your website url"] # you can only access the application via these hosts

	# A tuple representing a HTTP header/value combination that signifies a request is secure. This controls the behavior of the request object’s is_secure() method.
	# By default, is_secure() determines if a request is secure by confirming that a requested URL uses https://. This method is important for Django’s CSRF protection, and it may be used by your own code or third-party apps
	SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") # default: none

	# redirects all non-HTTPS requests to HTTPS
	SECURE_SSL_REDIRECT = True # default: False

	# the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection.
	SESSION_COOKIE_SECURE = True # False by default

	# the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent with an HTTPS connection.
	CSRF_COOKIE_SECURE = True # False by default

	# sets the HTTP Strict Transport Security header on all responses that do not already have it.
	SECURE_HSTS_SECONDS = 15768090 # 0 by default. set low, but when site is ready for deployment, set to at least 15768000 (6 months)

	# adds the includeSubDomains directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
	SECURE_HSTS_INCLUDE_SUBDOMAINS = True # False by default

	# adds the preload directive to the HTTP Strict Transport Security header. It has no effect unless SECURE_HSTS_SECONDS is set to a non-zero value.
	SECURE_HSTS_PRELOAD = True # False by default

	# sets the X-XSS-Protection: 1; mode=block header on all responses that do not already have it.
	# Modern browsers don’t honor X-XSS-Protection HTTP header anymore. Although the setting offers little practical benefit, you may still want to set the header if you support older browsers.
	SECURE_BROWSER_XSS_FILTER = True

	# visit https://docs.djangoproject.com/en/3.1/ref/settings/ for more details