#31980 closed Bug (invalid)
manage.py check --deploy should not throw security.W004 warning if SECURE_HSTS_SECONDS is explicitly set to 0
| Reported by: | Magnus Longva | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Management commands) | Version: | dev |
| Severity: | Normal | Keywords: | check deploy |
| Cc: | Adam Johnson | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If you run
manage.py check --deploy
on a Django project where you have explicitly set SECURE_HSTS_SECONDS = 0 in the settings file, you get a warning
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
This warning should only appear if you have not specified SECURE_HSTS_SECONDS anywhere.
Change History (3)
comment:1 by , 4 years ago
| Cc: | added |
|---|---|
| Easy pickings: | unset |
| Resolution: | → invalid |
| Status: | new → closed |
comment:2 by , 4 years ago
If you want to ignore this warning you can add it to the SILENCED_SYSTEM_CHECKS setting.
comment:3 by , 4 years ago
Indeed, the middleware only sends the header if the value is truthy.
I also don't think sending a max age of 0 seconds is valid, it's essentially saying not to use HSTS.
Note:
See TracTickets
for help on using tickets.
As far as I'm aware setting
SECURE_HSTS_SECONDSto0doesn't set the HTTP Strict Transport Security header on responses, so this warning is still valid.