chore(deploy): harden Heroku production settings#224
Merged
Conversation
Address all issues reported by `manage.py check --deploy` and apply Heroku-specific best practices: - Add `SecurityMiddleware` (was missing, so all SECURE_* settings had no effect) and move WhiteNoise directly after it. - Enable HTTPS hardening in production: SECURE_SSL_REDIRECT, HSTS (1y, subdomains, preload), SESSION_COOKIE_SECURE, CSRF_COOKIE_SECURE, and SECURE_PROXY_SSL_HEADER so Django trusts Heroku's X-Forwarded-Proto (prevents an infinite redirect loop). - Set AWS_S3_FILE_OVERWRITE = False to avoid silently overwriting user-uploaded files (wagtailadmin.W004). - Use persistent, TLS-required database connections for Heroku Postgres (conn_max_age=600, conn_health_checks=True, ssl_require=True). - Replace deprecated runtime.txt with .python-version.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the Heroku production deployment. Resolves every issue reported by
python manage.py check --deploy(went from 5 issues → 0 real findings) and applies Heroku-specific best practices.Changes
Security / HTTPS
django.middleware.security.SecurityMiddleware— it was missing entirely, so none of theSECURE_*settings had any effect (security.W001). WhiteNoise is moved directly after it as recommended.production.py:SECURE_SSL_REDIRECT, HSTS (1 year, subdomains, preload),SESSION_COOKIE_SECURE(security.W012),CSRF_COOKIE_SECURE(security.W016).SECURE_PROXY_SSL_HEADER— Heroku terminates TLS at the router and forwards plain HTTP to the dyno. Django must trustX-Forwarded-Proto, otherwiseSECURE_SSL_REDIRECTcauses an infinite redirect loop.Storage
AWS_S3_FILE_OVERWRITE = False— prevents silently overwriting/deleting user-uploaded files that share a name (wagtailadmin.W004).Database
conn_max_age=600,conn_health_checks=True,ssl_require=True. Avoids a new TCP+TLS connection on every request. Scoped toproduction.py(dev/tests keep SQLite).Tooling
runtime.txtwith.python-version(Heroku's current mechanism).Validation
check --deploynow reports 0 real issues (only the SECRET_KEY warning remains, a false positive from the dummy key used during the check; the realDJANGO_SECRET_KEYis long and random).ruff checkpasses.runtime.txtin Dockerfile/Taskfile/compose.Deploy note
After this is live,
SECURE_SSL_REDIRECT+ HSTS take effect. HSTS preload is a strong commitment (browsers will refuse plain HTTP for python.ie and subdomains for 1 year) — appropriate here since the site is already HTTPS-only.