Harden production settings safety checks and docs

2026-03-10 16:04:02 +01:00
parent 2586f15ae8
commit dd09b71eb4
5 changed files with 153 additions and 5 deletions
--- a/.env.example
+++ b/.env.example
@ -1,7 +1,7 @@
 # Django
 DJANGO_SETTINGS_MODULE=config.settings.development
 DJANGO_ENV=development
-# Required to be a strong, unique value when DJANGO_DEBUG=0.
+# Required to be a strong, unique value outside development.
 DJANGO_SECRET_KEY=change-me-in-production
 DJANGO_DEBUG=1
 DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
@ -36,6 +36,16 @@ GUNICORN_WORKERS=3
 # Production-minded security toggles
 DJANGO_SECURE_SSL_REDIRECT=1
 DJANGO_SECURE_HSTS_SECONDS=31536000
+DJANGO_SESSION_COOKIE_SAMESITE=Lax
+DJANGO_CSRF_COOKIE_SAMESITE=Lax
+
+# Mandatory production variables (example values):
+# DJANGO_SETTINGS_MODULE=config.settings.production
+# DJANGO_ENV=production
+# DJANGO_DEBUG=0
+# DJANGO_SECRET_KEY=<strong-unique-secret-at-least-32-chars>
+# DJANGO_ALLOWED_HOSTS=app.example.com
+# DJANGO_CSRF_TRUSTED_ORIGINS=https://app.example.com

 # Providers / ingestion
 PROVIDER_BACKEND=demo