Django + Nginx 项目的 HSTS headers - headers 应该由 Django SecurityMiddleware 还是 Nginx 设置?
HSTS headers for Django + Nginx projects - should the headers be set by Django SecurityMiddleware or Nginx?
HSTS = HTTP 严格传输安全
For sites that should only be accessed over HTTPS, you can instruct modern browsers to refuse to connect to your domain name via an insecure connection (for a given period of time) by setting the “Strict-Transport-Security” header. This reduces your exposure to some SSL-stripping man-in-the-middle (MITM) attacks.
SecurityMiddleware will set this header for you on all HTTPS responses if you set the SECURE_HSTS_SECONDS setting to a non-zero integer value.
然而这个 header 也可以由 Nginx 在 conf 文件中设置,通过添加一行:
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
所以问题是,我们应该通过在项目设置文件中添加 HSTS 设置来配置 Nginx 来设置这个 header 还是 Django SecurityMiddleware?
这完全取决于你。如果您 运行 多个站点,则在您的网络服务器设置中设置一个全局值可能会更容易。但是,如果您在 Django 中设置它,那么将您的应用程序移动到新的网络服务器会更容易。
HSTS = HTTP 严格传输安全
For sites that should only be accessed over HTTPS, you can instruct modern browsers to refuse to connect to your domain name via an insecure connection (for a given period of time) by setting the “Strict-Transport-Security” header. This reduces your exposure to some SSL-stripping man-in-the-middle (MITM) attacks.
SecurityMiddleware will set this header for you on all HTTPS responses if you set the SECURE_HSTS_SECONDS setting to a non-zero integer value.
然而这个 header 也可以由 Nginx 在 conf 文件中设置,通过添加一行:
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
所以问题是,我们应该通过在项目设置文件中添加 HSTS 设置来配置 Nginx 来设置这个 header 还是 Django SecurityMiddleware?
这完全取决于你。如果您 运行 多个站点,则在您的网络服务器设置中设置一个全局值可能会更容易。但是,如果您在 Django 中设置它,那么将您的应用程序移动到新的网络服务器会更容易。