From db93a449f94ecb91043fe3dbe20e537639f08331 Mon Sep 17 00:00:00 2001
From: Stuart Maxwell <stuart@amanzi.nz>
Date: Thu, 28 Nov 2024 19:47:14 +1300
Subject: [PATCH] New security settings

---
 config/settings.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/config/settings.py b/config/settings.py
index 268870d..ff39768 100644
--- a/config/settings.py
+++ b/config/settings.py
@@ -294,3 +294,18 @@
 RESEND_API_KEY = env("RESEND_API_KEY")
 CONTACT_FORM_TO = env("CONTACT_FORM_TO")
 CONTACT_FORM_FROM = env("CONTACT_FORM_FROM")
+
+# Securtiy settings
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+
+# Redirect all HTTP traffic to HTTPS
+SECURE_SSL_REDIRECT = True
+
+# Use secure cookies
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+
+# HSTS settings
+SECURE_HSTS_SECONDS = 31536000  # 1 year
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True