If you are trying to build a secure site setting up https is the first step.
With Django if you are using things like
HttpRedirectRequest you will soon discover that by default they will redirect to plain old http, bummer.
Thankfully, there is an easy way to fix this. Just set your HTTPS environment variable to be "on"
With heroku you can add it like this
heroku config:add HTTPS=on
Or you can just add it to the top of your wsgi.py file like this
os.environ['HTTPS'] = "on"
One more important note, make sure that DEBUG is False in settings.py or this will not work!
DEGUG = False
Also if you are using heroku, their reverse http proxy breaks
request.is_secure which breaks other things. The most obvious will be
APPEND_SLASH = True this is another bummer. Luckly there is a easy fix. Just add this to settings.py
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https',)
via https://twitter.com/chuckharmston/status/225857111157006336 other fixes at https://github.com/allanlei/django-heroku-helpers
This was taken from a great post at http://security.stackexchange.com/a/8970/17658