I’m using fly to deploy Django webapps with these browser security settings on.
SECURE_HSTS_SECONDS = 3600
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
These settings will not work without passing in the X-Forwarded-Proto header in deployment settings:
SECURE_PROXY_SSL_HEADER = (“HTTP_X_FORWARDED_PROTO”, “https”)
Django docs advise that this is a possibly unsafe setting since end users can spoof the header in a non-secure (http) request unless the webserver is configured to strip the X-Forwarded-Proto header from all incoming requests. Does the Fly proxy do this?