[django] https+hsts zprovozneni na heroku #82

na heroku se nepouzivalo production_settings, tedy vsechny moznosti byly aktivni jen na travisu/manualni produkci na lokalu + dodani hsts

scripts/shell/release_tasks_heroku.sh

@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
-# na heroku neni potreba provadet collectstatic
+# na heroku neni potreba provadet collectstatic, export promennych nelze provest
 
-export DJANGO_SETTINGS_MODULE=up.production_settings
 python manage.py migrate

up/production_settings.py

@@ -3,9 +3,11 @@
 
 from .settings import *  # lgtm [py/polluting-import]
 
-# pro funkcni testy na Travisu
 if os.getenv("TRAVIS"):
-    MANUAL_PRODUCTION = True
+    MANUAL_PRODUCTION = True  # pro funkcni testy na Travisu
+    STATICFILES_DIRS = [
+        os.path.join(BASE_DIR, "frontend", "dist")
+    ]  # jen na Travisu (zde se pak slozka smaze)
 
 ALLOWED_HOSTS = [
     "uspesnyprvnacek.herokuapp.com",
@@ -15,18 +17,18 @@
 
 sentry_sdk.init(environment=ENVIRONMENT, integrations=[DjangoIntegration()])
 
-# Static files
-STATICFILES_STORAGE = "whitenoise.storage.CompressedManifestStaticFilesStorage"
-STATICFILES_DIRS = [os.path.join(BASE_DIR, "frontend", "dist")]
-
-# Django konstanty
+# Django konstanty pro bezpecnost
 SECURE_BROWSER_XSS_FILTER = True
-SECURE_SSL_REDIRECT = True
 SESSION_COOKIE_SECURE = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
 CSRF_COOKIE_SECURE = True
 X_FRAME_OPTIONS = "DENY"
 
+SECURE_SSL_REDIRECT = True
+SECURE_HSTS_SECONDS = 63072000  # 2 roky
+SECURE_HSTS_PRELOAD = True
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+
 if MANUAL_PRODUCTION:
     DEBUG = False
     ALLOWED_HOSTS.append("localhost")

up/settings.py

@@ -139,6 +139,7 @@
 # Static files
 STATIC_ROOT = os.path.join(BASE_DIR, "staticfiles")
 STATIC_URL = "/static/"
+STATICFILES_STORAGE = "whitenoise.storage.CompressedManifestStaticFilesStorage"
 
 # debug toolbar
 DEBUG_TOOLBAR_PANELS = [