Hello,
I know this is a noob question but I cannot find guidance. I created a blog as a learning exercise for
django and python. It is live deployed now using the (seemingly classic!) Nginx, Gunicorn and Django stack. My question is around various security settings which seemingly can be made either at both Nginx level or django level. Because of this, the response header is showing duplicates with mismatches where they do not align.
Whilst it does not appear as an issue in itself( website responds and renders all fine ), I was wondering what is best practice/the norm? Is there a hierarchy of priority e.g. make the setting in Nginx if you can otherwise apply it in django? Or is it normal to make the same settings in all layers where it is available?
Example live response header below - note the doubling up of referrer-policy and a couple of others:
content-encoding: gzip
content-security-policy: default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';
content-type: text/html; charset=utf-8
cross-origin-opener-policy: same-origin
date: Mon, 11 Apr 2022 12:08:04 GMT
permissions-policy: interest-cohort=()
referrer-policy: same-origin
referrer-policy: same-origin
server: nginx
strict-transport-security: max-age=3600
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding
x-content-type-options: nosniff
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
I’m ignoring Gunicorn for time being even though some of the same setting are available there as as well.