http: Add section for HTTP headers, #110

open-contracting · Nov 4, 2024 · adad8e1 · adad8e1
1 parent ea22f71
commit adad8e1
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/docs/http/index.rst b/docs/http/index.rst
@@ -0,0 +1,26 @@
+HTTP
+====
+
+In order of preference, set these headers in:
+
+-  project code
+-  ``default.conf`` file, if the project includes a `Docker image running nginx <https://ocp-software-handbook.readthedocs.io/en/latest/docker/dockerfile.html#base-images>`__
+-  `deploy <https://github.com/open-contracting/deploy>`__ repository, if the project runs third-party code, like WordPress
+
+X-Content-Type-Options
+----------------------
+
+If not already set (like via `SECURE_CONTENT_TYPE_NOSNIFF <https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECURE_CONTENT_TYPE_NOSNIFF>`__ in Django), set the header to:
+
+.. code-block:: none
+
+   nosniff
+
+Strict-Transport-Security (HSTS)
+--------------------------------
+
+If not already set (like via :ref:`SECURE_HSTS_SECONDS<django-env>` in Django), set the header to:
+
+.. code-block:: none
+
+   max-age=31536000; includeSubdomains; preload
diff --git a/docs/index.rst b/docs/index.rst
@@ -18,6 +18,7 @@ This work is licensed under a `Creative Commons Attribution 4.0 International Li
    javascript/index
    shell/index
    htmlcss/index
+   http/index
    docker/index
    services/index
    git/index

diff --git a/docs/python/django.rst b/docs/python/django.rst
@@ -148,6 +148,8 @@ In other modules, import settings from ``django.conf``, `as recommended <https:/
 
    :doc:`Settings guide<settings>`, for the general approach to configuration
 
+.. _django-env:
+
 Environment variables
 ~~~~~~~~~~~~~~~~~~~~~