[Django] #26947: Support appending the 'preload' directive to the HSTS header
Django
-------------------------------+--------------------------
Reporter: edmorley | Owner: edmorley
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Keywords: hsts preload
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------
Django currently supports enabling the `Strict-Transport-Security` header,
including specifying whether the `includeSubDomains` directive should be
included within it:
https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-
SECURE_HSTS_SECONDS
https://docs.djangoproject.com/en/1.9/ref/settings/#secure-hsts-include-
subdomains
However there is currently no way to append the `preload` directive to
that header, which is required to indicate that the site owner consents to
the HSTS header being added to browser's pre-loaded list of sites that
should only be accessed over HTTPS:
https://hstspreload.appspot.com/
https://developer.mozilla.org/en-
US/docs/Web/Security/HTTP_strict_transport_security#Preloading_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet#Examples
I propose the addition of a new preference named `SECURE_HSTS_PRELOAD`
that enables the directive, and behaves in a similar manner to defining
`SECURE_HSTS_INCLUDE_SUBDOMAINS`.
I'll open a PR shortly :-)
--
Ticket URL: <https://code.djangoproject.com/ticket/26947>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: edmorley | Owner: edmorley
Type: New feature | Status: new
Component: HTTP handling | Version: master
Keywords: hsts preload | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: => 0
* stage: Unreviewed => Accepted
* needs_tests: => 0
* needs_docs: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/26947#comment:1>
Django
Reporter: edmorley | Owner: edmorley
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Keywords: hsts preload | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by edmorley):
* status: new => assigned
* has_patch: 0 => 1
Comment:
PR opened. I've also submitted a CLA.
--
Ticket URL: <https://code.djangoproject.com/ticket/26947#comment:2>
Django
Reporter: edmorley | Owner: edmorley
Type: New feature | Status: closed
Component: HTTP handling | Version: master
Keywords: hsts preload | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"7399fee6c3bb7eded1ecf5855d71520db299d79d" 7399fee6]:
{{{
#!CommitTicketReference repository=""
revision="7399fee6c3bb7eded1ecf5855d71520db299d79d"
Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26947#comment:4>
Django
Reporter: edmorley | Owner: edmorley
Type: New feature | Status: closed
Component: HTTP handling | Version: master
Keywords: hsts preload | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"3c2447dd13e495d57700ca8447896acd85044444" 3c2447dd]:
{{{
#!CommitTicketReference repository=""
revision="3c2447dd13e495d57700ca8447896acd85044444"
Fixed #26947 -- Added an option to enable the HSTS header preload
directive.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26947#comment:3>