Force https for /admin

[rgeoghegan]

The /admin site only works under http (https://mtlpy.org leads nowhere). Despite Heartbleed, it would be handy to not send our passwords out on cleartext. Do the following:

1. Generate a self-signed certificate and dump it in the mtlpy keepass. No need to buy one since we can share it with the admins.
2. Hack the nginx config so that any requests to /admin require https
3. Of course, set up https in nginx with the self-signed certificate

[mlhamel]

We should take a certificate for free from there:
https://www.startssl.com

BUT, we should fix hearthbleed on our server cause no-one did any updates on it since a long time !

[pior]

We now have a certificate.
What is the proper way to enforce HTTPS on /admin ?

[merwok]

Django settings to prevent being logged over http:

CSRF_COOKIE_HTTPONLY = True
CRSF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True

(I have all three on my sites, your mileage may vary.)

Then I have an nginx config to redirect http to https with the HSTS header, I’m not sure what can be done on Heroku.

[merwok]

Ah! https://stackoverflow.com/a/26670053/821378