[Django] #31980: manage.py check --deploy should not throw security.W004 warning if SECURE_HSTS_SECONDS is explicitly set to 0
Django
SECURE_HSTS_SECONDS is explicitly set to 0
-------------------------------------+-------------------------------------
Reporter: magnus- | Owner: nobody
longva-bouvet |
Type: Bug | Status: new
Component: Core | Version: master
(Management commands) |
Severity: Normal | Keywords: check deploy
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
If you run
{{{
manage.py check --deploy
}}}
on a Django project where you have explicitly set SECURE_HSTS_SECONDS = 0
in the settings file, you get a warning
{{{
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS
setting. If your entire site is served only over SSL, you may want to
consider setting a value and enabling HTTP Strict Transport Security. Be
sure to read the documentation first; enabling HSTS carelessly can cause
serious, irreversible problems.
}}}
This warning should only appear if you have not specified
SECURE_HSTS_SECONDS anywhere.
--
Ticket URL: <https://code.djangoproject.com/ticket/31980>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
SECURE_HSTS_SECONDS is explicitly set to 0
-------------------------------------+-------------------------------------
bouvet |
Type: Bug | Status: closed
Component: Core (Management | Version: master
commands) |
Severity: Normal | Resolution: invalid
Keywords: check deploy | Triage Stage:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Changes (by felixxm):
* cc: Adam (Chainz) Johnson (added)
* status: new => closed
* resolution: => invalid
* easy: 1 => 0
Comment:
As far as I'm aware setting `SECURE_HSTS_SECONDS` to `0` doesn't set the
HTTP Strict Transport Security header on responses, so this warning is
still valid.
--
Ticket URL: <https://code.djangoproject.com/ticket/31980#comment:1>
Django
SECURE_HSTS_SECONDS is explicitly set to 0
-------------------------------------+-------------------------------------
bouvet |
Type: Bug | Status: closed
Component: Core (Management | Version: master
commands) |
Severity: Normal | Resolution: invalid
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Comment (by felixxm):
If you want to ignore this warning you can add it to the
[https://docs.djangoproject.com/en/3.1/ref/settings/#silenced-system-
checks SILENCED_SYSTEM_CHECKS] setting.
--
Ticket URL: <https://code.djangoproject.com/ticket/31980#comment:2>
Django
SECURE_HSTS_SECONDS is explicitly set to 0
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: Core (Management | Version: master
commands) |
Severity: Normal | Resolution: invalid
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Comment (by Adam (Chainz) Johnson):
Indeed, the middleware only sends the header if the value is truthy.
I also don't think sending a max age of 0 seconds is valid, it's
essentially saying not to use HSTS.
--
Ticket URL: <https://code.djangoproject.com/ticket/31980#comment:3>