HSTS middleware should check request.is_secure() #5

jsocol opened this Issue Jul 13, 2011 · 2 comments


None yet
2 participants

jsocol commented Jul 13, 2011

We need middleware to support HSTS. This should go into commonware.response.middleware for now (gah, now I really want to reorganizing this again) and needs two settings, one for a max-age and one to optionally include subdomains. I think smart defaults are one month, and False, respectively.

For those who don't want to read the spec, this should only be sent if request.is_secure().

I hadn't heard of HSTS before so I was curious...

It looks like it already exists:

The only thing missing (given the spec here) is checking if request.is_secure() and only adding the header for SSL responses.


jsocol commented Jul 14, 2011

Oh, oh wow. Wow. Thanks, Rob!

jsocol was assigned Mar 7, 2012

jsocol closed this in 8eeab71 Mar 7, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment