PPHA-682: Implement preload and subdomains for HSTS (#415)

Themitchell · web-flow · commit 22f324eab315 · 2026-03-30T12:05:32.000+01:00
# What is the change?

Implement preload and subdomains for HSTS

# Why are we making this change?
To ensure our HSTS implementation complies with accepted standards
diff --git a/lung_cancer_screening/settings.py b/lung_cancer_screening/settings.py
@@ -289,6 +289,8 @@ def pem_key_env(key, file_path_key=None):
 # Additional security settings for production
 if not DEBUG:
     SECURE_HSTS_SECONDS = 31536000
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    SECURE_HSTS_PRELOAD = True
     SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
     SECURE_SSL_REDIRECT = False
     SESSION_COOKIE_SECURE = True
