4

我正在为我的 Django 1.8 项目设置站点范围的 HTTPS。我在网络安全方面没有经验。

我正在设置 HTTP 到 HTTPS 重定向和 HSTS。

现在,我正在我的 Apache/mod_wsgi Web 服务器上配置它(我使用的是 PaaS,所以我通过 WSGI 根目录上的 .htaccess 文件来配置它):

wsgi/.htaccess

# Redirect HTTP to HTTPS

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# Add HSTS header
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

# Deny rendering inside an iframe
Header always set X-Frame-Options DENY

根据 Django 官方文档 SSL建议,我在生产设置中保护 cookie:

设置/prod.py

...
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
...

注意:我还没有设置SECURE_PROXY_SSL_HEADER = (“HTTP_X_FORWARDED_PROTO”, “https”),因为我还不确定 PaaS 是否正在代理和剥离代理和 Web 容器之间的此标头。

Django(从 1.8 开始)现在带有它的安全中间件(来自旧的 django-secure),它实现 SSL 重定向,并处理 HSTS 标头和其他好东西。

我应该让 Django 处理所有 HTTPS 重定向/HSTS 配置,还是在 Web 服务器级别进行?每个选择的安全/性能影响是什么?

阅读/使用的参考文献:

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://garron.net/crypto/hsts/hsts-2013.pdf

https://cipherli.st/

https://mozilla.github.io/server-side-tls/ssl-config-generator/

https://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure

http://www.marinamele.com/2014/09/security-on-django-app-https-everywhere.html

https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

https://docs.djangoproject.com/en/1.8/topics/security/

4

1 回答 1

1

It's been a while since you've asked the question. Anyway, I faced similar doubts. The documentation is ambiguous whether we should enable HSTS at the app level or on a web server:

HSTS may either be configured with SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD, or on the Web server.

The deployment checklist (manage.py check --deploy) suggests to set SECURE_HSTS_SECONDS on production.

On the other hand, Django book states:

HSTS is usually configured on the web server.

Considering security, both server set up and django middleware do the same thing. They set up "Strict-Transport-Security" in response Header. I believe that web servers have a better performance than django middleware, though I haven't tested it.

Also, Two Scoops of Django suggests that it is better to put HTTPS redirects settings to a web server:

Performance-wise, it’s better to do this at the web server level (p. 347)

于 2018-04-05T15:55:15.913 回答