From 3abe7842519b18418e658769f8fb196acf0d8687 Mon Sep 17 00:00:00 2001
From: fschildt <florian.schildt@protonmail.com>
Date: Sun, 19 Oct 2025 17:38:03 +0200
Subject: settings: secure cookies in production

---
 fsweb/settings.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/fsweb/settings.py b/fsweb/settings.py
index 9221719..e4359ea 100644
--- a/fsweb/settings.py
+++ b/fsweb/settings.py
@@ -18,11 +18,14 @@ from dotenv import load_dotenv
 BASE_DIR = Path(__file__).resolve().parent.parent
 
 
+
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/5.1/howto/deployment/checklist/
 
-env = os.getenv('DJANGO_ENV')
-if env == 'production':
+
+# Basic Settings
+is_env_production = os.getenv('DJANGO_ENV') == 'production'
+if is_env_production:
     load_dotenv('/var/www/fsweb/config/.env')
 else:
     load_dotenv('.env.dev')
@@ -32,10 +35,11 @@ SECRET_KEY = os.getenv('SECRET_KEY')
 ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '').split(',')
 STATIC_ROOT = os.getenv('STATIC_ROOT')
 
-if not SECRET_KEY:
-    raise ValueError("SECRET_KEY is not set in the .env file")
-if env == 'production' and not ALLOWED_HOSTS:
-    raise ValueError("ALLOWED_HOSTS must be set in production")
+# Security Settings
+if is_env_production:
+    CSRF_COOKIE_SECURE = True
+    SESSION_COOKIE_SECURE = True
+
 
 
 # Application definition
-- 
cgit v1.2.3