diff --git a/docs/configuration/security.md b/docs/configuration/security.md index 2ae92285f..3b8120f5b 100644 --- a/docs/configuration/security.md +++ b/docs/configuration/security.md @@ -183,6 +183,31 @@ The view name or URL to which a user is redirected after logging out. --- +## SECURE_HSTS_INCLUDE_SUBDOMAINS + +Default: False + +If true, the `includeSubDomains` directive will be included in the HTTP Strict Transport Security (HSTS) header. This directive instructs the browser to apply the HSTS policy to all subdomains of the current domain. + +--- + +## SECURE_HSTS_PRELOAD + +Default: False + +If true, the `preload` directive will be included in the HTTP Strict Transport Security (HSTS) header. This directive instructs the browser to preload the site in HTTPS. Browsers that use the HSTS preload list will force the site to be accessed via HTTPS even if the user types HTTP in the address bar. + +--- + +## SECURE_HSTS_SECONDS + +Default: 0 + +If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security header on all responses that do not already have it. +If the website must be accessed via HTTPS, it is recommended to set SECURE_HSTS_SECONDS. It will make the browser remember that the website must be accessed via HTTPS, blocking any HTTP request. + +--- + ## SECURE_SSL_REDIRECT Default: False diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index 53b733652..ec698a8c0 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -160,6 +160,9 @@ RQ_RETRY_INTERVAL = getattr(configuration, 'RQ_RETRY_INTERVAL', 60) RQ_RETRY_MAX = getattr(configuration, 'RQ_RETRY_MAX', 0) SCRIPTS_ROOT = getattr(configuration, 'SCRIPTS_ROOT', os.path.join(BASE_DIR, 'scripts')).rstrip('/') SEARCH_BACKEND = getattr(configuration, 'SEARCH_BACKEND', 'netbox.search.backends.CachedValueSearchBackend') +SECURE_HSTS_INCLUDE_SUBDOMAINS = getattr(configuration, 'SECURE_HSTS_INCLUDE_SUBDOMAINS', False) +SECURE_HSTS_PRELOAD = getattr(configuration, 'SECURE_HSTS_PRELOAD', False) +SECURE_HSTS_SECONDS = getattr(configuration, 'SECURE_HSTS_SECONDS', 0) SECURE_SSL_REDIRECT = getattr(configuration, 'SECURE_SSL_REDIRECT', False) SENTRY_DSN = getattr(configuration, 'SENTRY_DSN', None) SENTRY_ENABLED = getattr(configuration, 'SENTRY_ENABLED', False) @@ -178,9 +181,7 @@ TIME_FORMAT = getattr(configuration, 'TIME_FORMAT', 'g:i a') TIME_ZONE = getattr(configuration, 'TIME_ZONE', 'UTC') ENABLE_LOCALIZATION = getattr(configuration, 'ENABLE_LOCALIZATION', False) CHANGELOG_SKIP_EMPTY_CHANGES = getattr(configuration, 'CHANGELOG_SKIP_EMPTY_CHANGES', True) -SECURE_HSTS_SECONDS = getattr(configuration, 'SECURE_HSTS_SECONDS', 0) -SECURE_HSTS_INCLUDE_SUBDOMAINS = getattr(configuration, 'SECURE_HSTS_INCLUDE_SUBDOMAINS', False) -SECURE_HSTS_PRELOAD = getattr(configuration, 'SECURE_HSTS_PRELOAD', False) + # Check for hard-coded dynamic config parameters for param in PARAMS: