[extensions-web] secure: added some basic secure options. Mostly for production use.

[Yuri Konotopov <ykonotopov src gnome org>]

commit bf0f1f8938a80888e650e6ce3107d7d54258e5b3
Author: Yuri Konotopov <ykonotopov gnome org>
Date:   Thu Nov 3 19:07:57 2016 +0300

    secure: added some basic secure options. Mostly for production use.

 sweettooth/settings.py |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)
---
diff --git a/sweettooth/settings.py b/sweettooth/settings.py
index 8be9059..4aa779c 100644
--- a/sweettooth/settings.py
+++ b/sweettooth/settings.py
@@ -67,10 +67,13 @@ MIDDLEWARE_CLASSES = (
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
 )
 
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
 X_FRAME_OPTIONS = 'DENY'
 
 ROOT_URLCONF = 'sweettooth.urls'
@@ -199,7 +202,20 @@ DEFAULT_FROM_EMAIL = "noreply gnome org"
 
 THUMBNAIL_DEBUG = True
 
+NO_SECURE_SETTINGS = False
+
 try:
     from local_settings import *
 except ImportError:
     pass
+
+
+# Enable secure settings in case DEBUG is disabled and NO_SECURE_SETTINGS is not set to True
+if not DEBUG and not NO_SECURE_SETTINGS:
+    CSRF_COOKIE_HTTPONLY = True
+    CSRF_COOKIE_SECURE = True
+    SESSION_COOKIE_SECURE = True
+    SECURE_HSTS_SECONDS = 4 * 60 * 60
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    SECURE_PROXY_SSL_HEADER = ('HTTPS', 'https')
+    SECURE_SSL_REDIRECT = True