Merge pull request #64 from girder/https

Configure robust HTTPS serving in production
kitware-resonant · Oct 5, 2020 · b32e108 · b32e108
2 parents 4df5a3b + 4d5aa7a
commit b32e108
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/composed_configuration/configuration/__init__.py b/composed_configuration/configuration/__init__.py
@@ -13,6 +13,7 @@
 from ._email import ConsoleEmailMixin, SmtpEmailMixin
 from ._extensions import ExtensionsMixin
 from ._filter import FilterMixin
+from ._https import HttpsMixin
 from ._logging import LoggingMixin
 from ._rest_framework import RestFrameworkMixin
 from ._static import StaticFileMixin, WhitenoiseStaticFileMixin
@@ -31,6 +32,7 @@
     'ExtensionsMixin',
     'FilterMixin',
     'HerokuProductionBaseConfiguration',
+    'HttpsMixin',
     'LoggingMixin',
     'MinioStorageMixin',
     'ProductionBaseConfiguration',

diff --git a/composed_configuration/configuration/_configuration.py b/composed_configuration/configuration/_configuration.py
@@ -11,6 +11,7 @@
 from ._email import ConsoleEmailMixin, SmtpEmailMixin
 from ._extensions import ExtensionsMixin
 from ._filter import FilterMixin
+from ._https import HttpsMixin
 from ._logging import LoggingMixin
 from ._rest_framework import RestFrameworkMixin
 from ._static import WhitenoiseStaticFileMixin
@@ -65,7 +66,7 @@ class TestingBaseConfiguration(MinioStorageMixin, _BaseConfiguration):
     # Testing will set EMAIL_BACKEND to use the memory backend
 
 
-class ProductionBaseConfiguration(SmtpEmailMixin, S3StorageMixin, _BaseConfiguration):
+class ProductionBaseConfiguration(SmtpEmailMixin, S3StorageMixin, HttpsMixin, _BaseConfiguration):
     pass
 
 
@@ -82,3 +83,5 @@ class HerokuProductionBaseConfiguration(ProductionBaseConfiguration):
     CELERY_BROKER_URL = values.Value(
         environ_name='CLOUDAMQP_URL', environ_prefix=None, environ_required=True
     )
+    # https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
diff --git a/composed_configuration/configuration/_https.py b/composed_configuration/configuration/_https.py
@@ -0,0 +1,21 @@
+from typing import Optional, Tuple
+
+from ._base import ConfigMixin
+
+
+class HttpsMixin(ConfigMixin):
+    """Configure Django's security middleware for HTTPS."""
+
+    SECURE_SSL_REDIRECT = True
+
+    # This must be set when deployed behind a proxy
+    SECURE_PROXY_SSL_HEADER: Optional[Tuple[str, str]] = None
+
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
+
+    # Enable HSTS
+    SECURE_HSTS_SECONDS = 60 * 60 * 24 * 365  # 1 year
+    # This is already False by default, but it's important to ensure HSTS is not forced on other
+    # subdomains which may have different HTTPS practices.
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = False