Fix: add more security settings for HTTPS and CSRF

Author: Dev Nirwal

pdf_chat_project/settings.py

@@ -34,7 +34,7 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = env.bool('DEBUG', default=False)
 
-ALLOWED_HOSTS = env.list('ALLOWED_HOSTS', default=['*'])
+ALLOWED_HOSTS = env.list('ALLOWED_HOSTS', default=['simple-rag.nstsdc.org', 'www.simple-rag.nstsdc.org', 'localhost', '127.0.0.1'])
 
 CSRF_TRUSTED_ORIGINS = env.list('CSRF_TRUSTED_ORIGINS', default=['http://simple-rag.nstsdc.org', 'https://simple-rag.nstsdc.org'])
 
@@ -43,6 +43,16 @@
 USE_X_FORWARDED_HOST = True
 USE_X_FORWARDED_PORT = True
 
+# HTTPS settings
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+SECURE_SSL_REDIRECT = env.bool('SECURE_SSL_REDIRECT', default=False) # Traefik usually handles this
+SECURE_HSTS_SECONDS = 31536000
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+
 
 # Application definition