Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Don't send HSTS headers over non-HTTPS connections #8

Merged
merged 1 commit into from

3 participants

@nvie

This fixes #5.

@kennethreitz

Thanks!

@kennethreitz

Hmm, does it hurt to send them over regular connections?

@nvie

Well, I suppose it doesn't hurt, no. But from the specs:

"Client implementations must not respect STS headers sent over non-HTTPS responses […]"

So it might be confusing to send them over non-secure connections. This is a bit more restricting, adding the header only to connections where it actually makes sense.

@jparise

I'd actually go even further and apply the same criteria (e.g. non-debug mode) that the redirection code uses.

@kennethreitz
Owner

Man, I have no idea why I didn't merge this.

@kennethreitz kennethreitz merged commit 6217898 into kennethreitz:master
@nvie

LOL, :sparkles: :cake: :sparkles: anyway :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 26, 2012
  1. @nvie
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 1 deletion.
  1. +2 −1  flask_sslify.py
View
3  flask_sslify.py
@@ -51,7 +51,8 @@ def redirect_to_ssl(self):
def set_hsts_header(self, response):
"""Adds HSTS header to each response."""
- response.headers.setdefault('Strict-Transport-Security', self.hsts_header)
+ if request.is_secure:
+ response.headers.setdefault('Strict-Transport-Security', self.hsts_header)
return response
Something went wrong with that request. Please try again.