From 48d087acf0c0b88fa1dc8470d0606c961ac968a8 Mon Sep 17 00:00:00 2001
From: gw3000 <weissenbaeck@posteo.de>
Date: Tue, 25 Jul 2023 07:59:17 +0200
Subject: [PATCH] Secure: CSP and HTTPS

---
 app/core/settings.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/core/settings.py b/app/core/settings.py
index 5f697f0..ae33511 100644
--- a/app/core/settings.py
+++ b/app/core/settings.py
@@ -25,6 +25,18 @@ CSRF_TRUSTED_ORIGINS = ["https://fbf.nabu-jena.de"]
 # Cookies
 SESSION_COOKIE_SECURE = True
 
+# DJANGO Content Security Policy
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_STYLE_SRC = ("'self'",)
+CSP_SCRIPT_SRC = ("'self'",)
+CSP_IMG_SRC = ("'self'",)
+CSP_FONT_SRC = ("'self'",)
+
+# HTTPS
+SECURE_HSTS_SECONDS = 0
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+
 # Allowed Hosts
 ALLOWED_HOSTS = [env("ALLOWED_HOSTS")]