What should I set my SECURE_HSTS_SECONDS setting to for production? And what are all the other security settings I should have in production?

What should I set my SECURE_HSTS_SECONDS setting to for production? This is my first time adding security for my production deployment, and I know from reading the documentation that this can be tricky and can even break my site.

In addition, according to Render (render.com) when I ran python manage.py check --settings=django_boards.settings.production --deploy in production. It told me to add SECURE_SSL_REDIRECT=True, SESSION_COOKIE_SECURE=True, CSRF_COOKIE_SECURE=True as well. is that enough, or am I missing other security settings for production? Thanks!

The Django-recommended guidelines are documented at HTTP Strict Transport Security. The third paragraph provides specific recommendations.

Thanks @KenWhitesell! If I set it to 3600 seconds (1 hour), will it then reset to another 3600 seconds and so on? Is that an OK setting, or is it too short?

@adamchainz has a good post explaining the various settings here:

It’s worth a read!

2 Likes

In addition to seeing Adam’s excellent article, you might also want to read the MDN page on Strict-Transport-Security for a more detailed explanation.

To specifically answer your question, each time the browser receives the Strict-Transport-Security header in a secure (HTTPS) response, the clock is started again.

1 Like

Thanks so much @carltongibson. Definitely will check it out. I also found some information regarding all this. But would love to see what the article says. I have my production site in maintenance mode until I get security completely settled (almost there with that), and my backend email service (for which I started another thread).

Thanks @KenWhitesell! I will check that out too!