From 4b558020af65c7d6a09af6e9826d245c4a7b07d5 Mon Sep 17 00:00:00 2001
From: Disco DeDisco <adamcraighamilton@gmail.com>
Date: Fri, 20 Feb 2026 13:33:11 -0500
Subject: [PATCH] added staging & prod https support to core.settings

---
 src/core/settings.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/core/settings.py b/src/core/settings.py
index e2e59ac..bb946be 100644
--- a/src/core/settings.py
+++ b/src/core/settings.py
@@ -28,6 +28,12 @@ if 'DJANGO_DEBUG_FALSE' in os.environ:
     SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
     ALLOWED_HOSTS = [host.strip() for host in os.environ['DJANGO_ALLOWED_HOST'].split(',')]
     CSRF_TRUSTED_ORIGINS = [f'https://{host.strip()}' for host in os.environ['DJANGO_ALLOWED_HOST'].split(',')]
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
+    SECURE_HSTS_SECONDS = 60
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    SECURE_HSTS_PRELOAD = True
 else:
     DEBUG = True
     # SECURITY WARNING: keep the secret key used in production secret!