Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

HSTS middleware should check request.is_secure() #5

Closed
jsocol opened this Issue · 2 comments

2 participants

@jsocol
Owner

We need middleware to support HSTS. This should go into commonware.response.middleware for now (gah, now I really want to reorganizing this again) and needs two settings, one for a max-age and one to optionally include subdomains. I think smart defaults are one month, and False, respectively.

For those who don't want to read the spec, this should only be sent if request.is_secure().

@robhudson

I hadn't heard of HSTS before so I was curious...

It looks like it already exists:
https://github.com/jsocol/commonware/blob/master/commonware/response/middleware.py#L38

The only thing missing (given the spec here) is checking if request.is_secure() and only adding the header for SSL responses.

@jsocol
Owner

Oh, oh wow. Wow. Thanks, Rob!

@jsocol jsocol was assigned
@jsocol jsocol closed this in 8eeab71
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.