Only send STS header if request.is_secure(). Fixes #5.

mozilla · Mar 7, 2012 · 8eeab71 · 8eeab71
1 parent de48d09
commit 8eeab71
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/commonware/response/middleware.py b/commonware/response/middleware.py
@@ -44,12 +44,13 @@ class StrictTransportMiddleware(object):
     """
 
     def process_response(self, request, response):
-        age = getattr(settings, 'STS_MAX_AGE', 2592000)  # 30 days.
-        subdomains = getattr(settings, 'STS_SUBDOMAINS', False)
-        val = 'max-age=%d' % age
-        if subdomains:
-            val += '; includeSubDomains'
-        response['Strict-Transport-Security'] = val
+        if request.is_secure():
+            age = getattr(settings, 'STS_MAX_AGE', 2592000)  # 30 days.
+            subdomains = getattr(settings, 'STS_SUBDOMAINS', False)
+            val = 'max-age=%d' % age
+            if subdomains:
+                val += '; includeSubDomains'
+            response['Strict-Transport-Security'] = val
         return response