Replace unmaintained wsgi-sslify with Django settings (mozilla#3376)

mathjazz · Sep 25, 2024 · 0ba3b9a · 0ba3b9a
1 parent 082778c
commit 0ba3b9a
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 14 deletions.
diff --git a/pontoon/settings/base.py b/pontoon/settings/base.py
@@ -873,9 +873,9 @@ def _default_from_email():
 # Use correct header for detecting HTTPS on Heroku.
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
-# Do not set SECURE_HSTS_SECONDS.
-# HSTS is being taken care of in pontoon/wsgi.py.
-# SECURE_HSTS_SECONDS = 63072000
+# If set to a non-zero integer value, the SecurityMiddleware sets the
+# HTTP Strict Transport Security header on all responses that do not already have it.
+SECURE_HSTS_SECONDS = 31536000  # 1 year
 
 # X-Content-Type-Options: nosniff
 # Disables browser MIME type sniffing

diff --git a/pontoon/wsgi.py b/pontoon/wsgi.py
@@ -9,8 +9,6 @@
 
 import dotenv
 
-from wsgi_sslify import sslify
-
 from django.core.wsgi import get_wsgi_application
 
 
@@ -23,4 +21,4 @@
 
 # sslify sets a Strict-Transport-Security header,
 # which instructs browsers to always use HTTPS.
-application = sslify(get_wsgi_application())
+application = get_wsgi_application()
diff --git a/requirements/default.in b/requirements/default.in
@@ -51,7 +51,6 @@ sacrebleu==2.3.1
 sacremoses==0.1.1
 translate-toolkit==3.3.2
 whitenoise==5.2.0
-wsgi-sslify==1.0.1
 
 # Dependencies loaded from outside pypi.
 silme @ https://github.com/mozilla/silme/archive/v0.11.2.zip
diff --git a/requirements/default.txt b/requirements/default.txt
@@ -1411,14 +1411,7 @@ webencodings==0.5.1 \
     --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \
     --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923
     # via bleach
-werkzeug==2.1.2 \
-    --hash=sha256:1ce08e8093ed67d638d63879fd1ba3735817f7a80de3674d293f5984f25fb6e6 \
-    --hash=sha256:72a4b735692dd3135217911cbeaa1be5fa3f62bffb8745c5215420a03dc55255
-    # via wsgi-sslify
 whitenoise==5.2.0 \
     --hash=sha256:05ce0be39ad85740a78750c86a93485c40f08ad8c62a6006de0233765996e5c7 \
     --hash=sha256:05d00198c777028d72d8b0bbd234db605ef6d60e9410125124002518a48e515d
     # via -r requirements/default.in
-wsgi-sslify==1.0.1 \
-    --hash=sha256:cde368fda0fb9958dd58bc2cb955d0bf3df1b79c132d97cee90be5fda34a5089
-    # via -r requirements/default.in