Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


HSTS middleware should check request.is_secure() #5

jsocol opened this Issue · 2 comments

2 participants


We need middleware to support HSTS. This should go into commonware.response.middleware for now (gah, now I really want to reorganizing this again) and needs two settings, one for a max-age and one to optionally include subdomains. I think smart defaults are one month, and False, respectively.

For those who don't want to read the spec, this should only be sent if request.is_secure().


I hadn't heard of HSTS before so I was curious...

It looks like it already exists:

The only thing missing (given the spec here) is checking if request.is_secure() and only adding the header for SSL responses.


Oh, oh wow. Wow. Thanks, Rob!

@jsocol jsocol was assigned
@jsocol jsocol closed this in 8eeab71
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.