Hello, PYTHONANYWHERE folks.
Since I have no knowledge of web security, I have two questions related to my Django-powered website's security.
The first and most straightforward one: I've enabled forcing HTTPS through the web tab. Do I still need to set SECURE_SSL_REDIRECT, SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD in my settings file?
The second question which got me really puzzled is regarding the SECURE_PROXY_SSL_HEADER setting. In the Django docs, it says: "You should only set this setting if you control your proxy or have some other guarantee that it sets/strips this header appropriately.". It also warns that I should only set this setting if all points in a list they provided apply to me. What should I do in this case?