From 3a51efd59744a9010f0e9796d5256fdd04e49e03 Mon Sep 17 00:00:00 2001
From: Ben Sturmfels <ben@sturm.com.au>
Date: Mon, 24 Apr 2023 17:19:56 +1000
Subject: [PATCH] Configure Django production security settings

---
 pinaxcon/settings.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pinaxcon/settings.py b/pinaxcon/settings.py
index d6c2e04a..c35532ea 100644
--- a/pinaxcon/settings.py
+++ b/pinaxcon/settings.py
@@ -608,3 +608,20 @@ ACCOUNT_SIGNUP_REDIRECT_URL = '/dashboard/'
 ACCOUNT_LOGIN_REDIRECT_URL = '/dashboard/'
 
 ADMINS = [('', email) for email in os.environ.get('DJANGO_ADMINS', '').split(',') if email]
+
+# Django recommended security settings.
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+SECURE_SSL_REDIRECT = True
+SECURE_BROWSER_XSS_FILTER = True
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_HTTPONLY = True
+X_FRAME_OPTIONS = 'DENY'
+
+
+SILENCED_SYSTEM_CHECKS = [
+    # HSTS is handled by Nginx.
+    'security.W004',
+    # Don't want to preload HSTS at this stage.
+    'security.W021']