feat: enhance security settings in staging.py for SSL and cookie protection

Author: Janek Mangold

django/{{ cookiecutter.project_slug }}/{{ cookiecutter.project_slug }}/settings/staging.py

@@ -15,4 +15,33 @@
 CORS_ALLOWED_ORIGIN_REGEXES = [
     r"^https://.*\.v2\.singular-it-test\.de$",
 ]
-{% endif %}
+{% endif %}
+
+# SECURITY
+
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-ssl-redirect
+SECURE_SSL_REDIRECT = True
+
+# https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-secure
+SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_NAME = "{{ random_ascii_string(20) }}"
+
+# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-secure
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_NAME = "{{ random_ascii_string(20) }}"
+
+# https://docs.djangoproject.com/en/dev/topics/security/#ssl-https
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-seconds
+SECURE_HSTS_SECONDS = 60 * 60 * 24 * 7 # 1 week
+
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-include-subdomains
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-preload
+SECURE_HSTS_PRELOAD = True
+
+# https://docs.djangoproject.com/en/dev/ref/middleware/#x-content-type-options-nosniff
+SECURE_CONTENT_TYPE_NOSNIFF = True