From da99286d88b8458b3be2378157ed83e355669dac Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sun, 27 Nov 2016 21:59:28 +0000
Subject: [PATCH] Only allow django admin in debug

---
 project/settings.py | 30 ++++++++++++++++--------------
 project/urls.py     |  4 ++--
 2 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/project/settings.py b/project/settings.py
index e1db24b..9a7c989 100755
--- a/project/settings.py
+++ b/project/settings.py
@@ -13,21 +13,8 @@ SECRET_KEY = os.environ['SECRET_KEY']
 
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 
-if not DEBUG:
-    print("NOT DEBUG!")
-    SESSION_COOKIE_SECURE = True
-    CSRF_COOKIE_SECURE = True
-    CSRF_COOKIE_HTTPONLY = True
-    SECURE_CONTENT_TYPE_NOSNIFF = True
-    SECURE_BROWSER_XSS_FILTER = True
-    SECURE_SSL_REDIRECT = True
-
-X_FRAME_OPTIONS = 'DENY'
-MAX_UPLOAD_SIZE = 5242880 # 5MB - 5242880
-
 
 # Application definition
-
 INSTALLED_APPS = [
     'wagtail.wagtailforms',
     'wagtail.wagtailredirects',
@@ -47,7 +34,6 @@ INSTALLED_APPS = [
     'modelcluster',
     'taggit',
 
-    'django.contrib.admin',
     'django.contrib.auth',
     'django.contrib.contenttypes',
     'django.contrib.sessions',
@@ -61,6 +47,22 @@ INSTALLED_APPS = [
     'project.search',
 ]
 
+if DEBUG:
+    INSTALLED_APPS += ['django.contrib.admin']
+
+# Harden Django!
+if not DEBUG:
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
+    CSRF_COOKIE_HTTPONLY = True
+    SECURE_CONTENT_TYPE_NOSNIFF = True
+    SECURE_BROWSER_XSS_FILTER = True
+    SECURE_SSL_REDIRECT = True
+
+X_FRAME_OPTIONS = 'DENY'
+MAX_UPLOAD_SIZE = 5242880 # 5MB - 5242880
+
+
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
 
diff --git a/project/urls.py b/project/urls.py
index 670d8b8..a907951 100755
--- a/project/urls.py
+++ b/project/urls.py
@@ -8,8 +8,6 @@ from wagtail.wagtailcore import urls as wagtail_urls
 from wagtail.wagtaildocs import urls as wagtaildocs_urls
 
 urlpatterns = [
-    url(r'^django-admin/', include(admin.site.urls)),
-
     url(r'^admin/', include(wagtailadmin_urls)),
     url(r'^documents/', include(wagtaildocs_urls)),
 
@@ -23,6 +21,8 @@ if settings.DEBUG:
     from django.conf.urls.static import static
     from django.contrib.staticfiles.urls import staticfiles_urlpatterns
 
+    urlpatterns = [url(r'^django-admin/', include(admin.site.urls))] + urlpatterns
+
     # Serve static and media files from development server
     urlpatterns += staticfiles_urlpatterns()
     urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)