From 3e21ee85d0cf8950f1f4cec0b8a5689856f68269 Mon Sep 17 00:00:00 2001
From: Ben Sturmfels <ben@sturm.com.au>
Date: Mon, 24 Apr 2023 17:52:55 +1000
Subject: [PATCH] Only apply Django security settings in production

---
 pinaxcon/settings.py | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/pinaxcon/settings.py b/pinaxcon/settings.py
index c35532ea..7232d380 100644
--- a/pinaxcon/settings.py
+++ b/pinaxcon/settings.py
@@ -609,19 +609,20 @@ ACCOUNT_LOGIN_REDIRECT_URL = '/dashboard/'
 
 ADMINS = [('', email) for email in os.environ.get('DJANGO_ADMINS', '').split(',') if email]
 
-# Django recommended security settings.
-SECURE_CONTENT_TYPE_NOSNIFF = True
-SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
-SECURE_SSL_REDIRECT = True
-SECURE_BROWSER_XSS_FILTER = True
-SESSION_COOKIE_SECURE = True
-CSRF_COOKIE_SECURE = True
-CSRF_COOKIE_HTTPONLY = True
-X_FRAME_OPTIONS = 'DENY'
+if not DEBUG:
+    # Django recommended security settings.
+    SECURE_CONTENT_TYPE_NOSNIFF = True
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+    SECURE_SSL_REDIRECT = True
+    SECURE_BROWSER_XSS_FILTER = True
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
+    CSRF_COOKIE_HTTPONLY = True
+    X_FRAME_OPTIONS = 'DENY'
 
 
-SILENCED_SYSTEM_CHECKS = [
-    # HSTS is handled by Nginx.
-    'security.W004',
-    # Don't want to preload HSTS at this stage.
-    'security.W021']
+    SILENCED_SYSTEM_CHECKS = [
+        # HSTS is handled by Nginx.
+        'security.W004',
+        # Don't want to preload HSTS at this stage.
+        'security.W021']