Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Don't send HSTS headers over non-HTTPS connections #8

merged 1 commit into from

3 participants


This fixes #5.




Hmm, does it hurt to send them over regular connections?


Well, I suppose it doesn't hurt, no. But from the specs:

"Client implementations must not respect STS headers sent over non-HTTPS responses […]"

So it might be confusing to send them over non-secure connections. This is a bit more restricting, adding the header only to connections where it actually makes sense.


I'd actually go even further and apply the same criteria (e.g. non-debug mode) that the redirection code uses.


Man, I have no idea why I didn't merge this.

@kennethreitz kennethreitz merged commit 6217898 into kennethreitz:master

LOL, :sparkles: :cake: :sparkles: anyway :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 26, 2012
  1. @nvie
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 1 deletion.
  1. +2 −1 
3 
@@ -51,7 +51,8 @@ def redirect_to_ssl(self):
def set_hsts_header(self, response):
"""Adds HSTS header to each response."""
- response.headers.setdefault('Strict-Transport-Security', self.hsts_header)
+ if request.is_secure:
+ response.headers.setdefault('Strict-Transport-Security', self.hsts_header)
return response
Something went wrong with that request. Please try again.