What should I set my SECURE_HSTS_SECONDS setting to for production? This is my first time adding security for my production deployment, and I know from reading the documentation that this can be tricky and can even break my site.
In addition, according to Render (render.com) when I ran python manage.py check --settings=django_boards.settings.production --deploy in production. It told me to add SECURE_SSL_REDIRECT=True, SESSION_COOKIE_SECURE=True, CSRF_COOKIE_SECURE=True as well. is that enough, or am I missing other security settings for production? Thanks!
Thanks @KenWhitesell! If I set it to 3600 seconds (1 hour), will it then reset to another 3600 seconds and so on? Is that an OK setting, or is it too short?
In addition to seeing Adam’s excellent article, you might also want to read the MDN page on Strict-Transport-Security for a more detailed explanation.
To specifically answer your question, each time the browser receives the Strict-Transport-Security header in a secure (HTTPS) response, the clock is started again.
Thanks so much @carltongibson. Definitely will check it out. I also found some information regarding all this. But would love to see what the article says. I have my production site in maintenance mode until I get security completely settled (almost there with that), and my backend email service (for which I started another thread).