From cbd7d60c498382afe7df491d6a987e2d2747e8fe Mon Sep 17 00:00:00 2001 From: Michael Tofias Date: Tue, 31 Mar 2015 11:56:05 -0500 Subject: [PATCH] Made suggested improvements, allow more parameters to be set via config, added to documentation. --- README.rst | 14 +++++++++++++- flask_sslify.py | 19 +++++++++++-------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/README.rst b/README.rst index 5675e13..4a68e74 100644 --- a/README.rst +++ b/README.rst @@ -47,6 +47,9 @@ If you'd like to include subdomains in your HSTS policy, set the ``subdomains`` sslify = SSLify(app, subdomains=True) +Or by including SSL_SUBDOMAINS in your app's config. + + HTTP 301 Redirects ------------------ @@ -55,15 +58,24 @@ by passing the ``permanent`` parameter:: sslify = SSLify(app, permanent=True) +Or by including SSL_PERMANENT in your app's config. + Exclude Certain Paths from Being Redirected ------------------------------------------- - You can exlude a path that starts with given string by including a list called ``skips``:: +You can exlude a path that starts with given string by including a list called ``skips``:: sslify = SSLify(app, skips=['mypath', 'anotherpath']) Or by including SSL_SKIPS in your app's config. + +Turn-off Redirects Completely +------------------------------ +Flask-SSLify won't run if DEBUG is True, but you can also turn-off redirects completely by setting +SSL_NO_REDIRECTS in your app's config which might be useful for things like testing, etc. + + Install ------- diff --git a/flask_sslify.py b/flask_sslify.py index a3083e8..2bbc58a 100644 --- a/flask_sslify.py +++ b/flask_sslify.py @@ -9,12 +9,12 @@ class SSLify(object): """Secures your Flask App.""" def __init__(self, app, age=YEAR_IN_SECS, subdomains=False, permanent=False, skips=None): - if app is not None: + if app is not None and not app.config.get('SSL_NO_REDIRECTS'): self.app = app self.hsts_age = age - self.hsts_include_subdomains = subdomains - self.permanent = permanent - self.skip_list = skips or app.config['SSL_SKIPS'] + self.hsts_include_subdomains = subdomains or app.config.get('SSL_SUBDOMAINS') + self.permanent = permanent or app.config.get('SSL_PERMANENT') + self.skip_list = skips or app.config.get('SSL_SKIPS') self.init_app(self.app) else: self.app = None @@ -35,10 +35,13 @@ class SSLify(object): return hsts_policy @property - def skipping(self): + def skip(self): """Checks the skip list.""" # Should we skip? - if self.skip_list: + if self.skip_list: + if isinstance(self.skip_list, basestring): + if request.path.startswith('/' + skip): + return True for skip in self.skip_list: if request.path.startswith('/' + skip): return True @@ -52,7 +55,7 @@ class SSLify(object): request.headers.get('X-Forwarded-Proto', 'http') == 'https' ] - if not any(criteria) and not self.skipping is True: + if not any(criteria) and not self.skip is True: if request.url.startswith('http://'): url = request.url.replace('http://', 'https://', 1) code = 302 @@ -64,6 +67,6 @@ class SSLify(object): def set_hsts_header(self, response): """Adds HSTS header to each response.""" # Should we add STS header? - if request.is_secure and not self.skipping is True: + if request.is_secure and not self.skip: response.headers.setdefault('Strict-Transport-Security', self.hsts_header) return response