HSTS middleware should check request.is_secure() #5

Closed
jsocol opened this Issue Jul 13, 2011 · 2 comments

Comments

Projects
None yet
2 participants
Owner

jsocol commented Jul 13, 2011

We need middleware to support HSTS. This should go into commonware.response.middleware for now (gah, now I really want to reorganizing this again) and needs two settings, one for a max-age and one to optionally include subdomains. I think smart defaults are one month, and False, respectively.

For those who don't want to read the spec, this should only be sent if request.is_secure().

I hadn't heard of HSTS before so I was curious...

It looks like it already exists:
https://github.com/jsocol/commonware/blob/master/commonware/response/middleware.py#L38

The only thing missing (given the spec here) is checking if request.is_secure() and only adding the header for SSL responses.

Owner

jsocol commented Jul 14, 2011

Oh, oh wow. Wow. Thanks, Rob!

jsocol was assigned Mar 7, 2012

jsocol closed this in 8eeab71 Mar 7, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment