HTTPS Hardening

Direct Answer: When to Use Built-in SecurityMiddleware vs Custom Headers

Django’s django.middleware.security.SecurityMiddleware automatically injects baseline OWASP headers: Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and baseline Content-Security-Policy. When evaluating Django security middleware vs custom headers, reserve custom implementations for enterprise compliance mandates, legacy upstream proxies that strip headers, or API endpoints requiring granular Access-Control-* overrides.

Header injection strictly follows Django’s MIDDLEWARE execution order. Placing custom middleware after SecurityMiddleware allows safe overrides without duplication. Framework architecture comparisons and cross-stack header handling are detailed in FastAPI & Django Security Middleware.

Security implication: Duplicate headers trigger browser fallback behavior or strict CSP violations. Always validate header precedence before deployment.

Exact Configuration & Diagnostic Commands

Step 1: Enable baseline middleware in settings.py:

MIDDLEWARE = [
 'django.middleware.security.SecurityMiddleware', # Must be first
 'django.contrib.sessions.middleware.SessionMiddleware',
 'myapp.middleware.CustomSecurityHeadersMiddleware', # Executes after baseline
]

SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_CONTENT_TYPE_NOSNIFF = True
# SECURE_BROWSER_XSS_FILTER is deprecated in Django 3.0+ and removed in 4.0+

Step 2: Implement custom middleware class (myapp/middleware.py):

class CustomSecurityHeadersMiddleware:
 def __init__(self, get_response):
 self.get_response = get_response

 def __call__(self, request):
 response = self.get_response(request)
 # Override or append enterprise/compliance headers
 response['X-Frame-Options'] = 'DENY'
 response['X-Permitted-Cross-Domain-Policies'] = 'none'
 response['Permissions-Policy'] = 'camera=(), microphone=()'
 return response

Step 3: Run diagnostic command to inspect raw response headers:

curl -sI -X GET https://your-domain.com/admin/login/ | grep -iE '(strict-transport|x-frame|x-content-type|referrer-policy|content-security|permissions-policy)'

Verification & Header Precedence Validation

Execute python manage.py check --deploy to validate SECURE_* settings against production best practices. Verify single-instance headers using curl or httpie. Multiple values for X-Frame-Options or Strict-Transport-Security indicate middleware ordering conflicts or reverse proxy duplication.

Cross-reference deployment manifests and reverse proxy configurations. Full platform deployment workflows and infrastructure hardening patterns are documented in Server & Platform Implementation Guides.

Security implication: Missing Strict-Transport-Security on the initial HTTP request enables protocol downgrade attacks. Ensure SECURE_SSL_REDIRECT = True is active in production and that your TLS termination point correctly forwards X-Forwarded-Proto.

Edge Cases, Conflicts & Rollback Procedures

Edge Case 1: Load balancers or CDN proxies strip custom headers. Solution: Configure upstream proxy to forward X-Forwarded-Proto and disable automatic header sanitization. Verify proxy pass-through rules do not drop non-standard headers.

Edge Case 2: SecurityMiddleware silently overwrites custom headers. Solution: Reorder the MIDDLEWARE list so custom middleware executes last. Django processes middleware top-to-bottom on request, and bottom-to-top on response.

Edge Case 3: Content-Security-Policy conflicts with inline scripts. Solution: Do not override SecurityMiddleware directly. Use django-csp or inject a nonce-based CSP via custom middleware to maintain strict policy enforcement without breaking legitimate inline execution.

Rollback Procedure:

  1. Temporarily comment out the custom middleware string in settings.py.
  2. Run python manage.py check to catch configuration drift.
  3. Gracefully restart Gunicorn/Uvicorn workers (systemctl reload gunicorn or kill -HUP <pid>).
  4. Monitor 5xx logs for header-related HttpResponse exceptions.

Security implication: Improper rollback leaves X-Frame-Options unset, exposing clickjacking vectors. Always validate with curl -I post-rollback and confirm baseline headers are restored before routing production traffic.