diff options
Diffstat (limited to 'settings.py')
| -rw-r--r-- | settings.py | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/settings.py b/settings.py index 51c2633..83ce1b3 100644 --- a/settings.py +++ b/settings.py @@ -95,6 +95,11 @@ SMART_APPEND_SLASH = True SECRET_KEY = "not-the-real-secret-key-a#vaeozn0---^fj!355qki*vj2" LOGIN_REDIRECT_URL = '/' +SECURE_CONTENT_TYPE_NOSNIFF = True +SECURE_BROWSER_XSS_FILTER = True +#SESSION_COOKIE_SECURE = True # if enabled, cannot login to Django control panel +CSRF_COOKIE_SECURE = True +X_FRAME_OPTIONS = 'SAMEORIGIN' # change to "DENY" after we eliminate all the iframes in use. INSTALLED_APPS = ( 'django.contrib.admin', @@ -102,7 +107,7 @@ INSTALLED_APPS = ( 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', -# 'django.contrib.staticfiles', +# 'django.contrib.staticfiles', # apparently not working. Using workarounds with flatpages 'registration', 'troggle.profiles', 'troggle.core', @@ -110,6 +115,7 @@ INSTALLED_APPS = ( ) MIDDLEWARE_CLASSES = ( + 'django.middleware.security.SecurityMiddleware', 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', |