not-kennethreitz/flask-sslify
1
0
Fork 0
mirror of https://github.com/not-kennethreitz/flask-sslify.git synced 2026-06-05 06:56:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
30ae87fd5cdec82a72690bf6b9e109b42b6aee4b
flask-sslify/README.rst
T
Nikolay Shebanov 549bea991c Add a note about Flask-Talisman
2019-01-29 22:45:35 +02:00

95 lines
2.9 KiB
ReStructuredText
Raw Blame History

Flask-SSLify
============
This is a simple Flask extension that configures your Flask application to redirect
all incoming requests to HTTPS.
The extension is no longer maintained, prefer using `Flask-Talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_ as it is encouraged by the `Flask Security Guide <http://flask.pocoo.org/docs/dev/security/>`_.
If you're interested in financially supporting Kenneth Reitz open source, consider `visiting this link <https://cash.me/$KennethReitz>`_. Your support helps tremendously with sustainability of motivation, as Open Source is no longer part of my day job.
Redirects only occur when ``app.debug`` is ``False``.
Usage
-----
Usage is pretty simple::
from flask import Flask
from flask_sslify import SSLify
app = Flask(__name__)
sslify = SSLify(app)
If you make an HTTP request, it will automatically redirect::
$ curl -I http://secure-samurai.herokuapp.com/
HTTP/1.1 302 FOUND
Content-length: 281
Content-Type: text/html; charset=utf-8
Date: Sun, 29 Apr 2012 21:39:36 GMT
Location: https://secure-samurai.herokuapp.com/
Server: gunicorn/0.14.2
Strict-Transport-Security: max-age=31536000
Connection: keep-alive
HTTP Strict Transport Security
------------------------------
Flask-SSLify also provides your application with an HSTS policy.
By default, HSTS is set for *one year* (31536000 seconds).
You can change the duration by passing the ``age`` parameter::
sslify = SSLify(app, age=300)
If you'd like to include subdomains in your HSTS policy, set the ``subdomains`` parameter::
sslify = SSLify(app, subdomains=True)
Or by including ``SSLIFY_SUBDOMAINS`` in your app's config.
HTTP 301 Redirects
------------------
By default, the redirect is issued with a HTTP 302 response. You can change that to a HTTP 301 response
by passing the ``permanent`` parameter::
sslify = SSLify(app, permanent=True)
Or by including ``SSLIFY_PERMANENT`` in your app's config.
Exclude Certain Paths from Being Redirected
-------------------------------------------
You can exlude a path that starts with given string by including a list called ``skips``::
sslify = SSLify(app, skips=['mypath', 'anotherpath'])
Or by including ``SSLIFY_SKIPS`` in your app's config.
Install
-------
Installation is simple too::
$ pip install Flask-SSLify
Security consideration using basic auth
---------------------------------------
When using basic auth, it is important that the redirect occurs before the user is prompted for
credentials. Flask-SSLify registers a ``before_request`` handler, to make sure this handler gets
executed before credentials are entered it is advisable to not prompt for any authentication
inside a ``before_request`` handler.
The example found at http://flask.pocoo.org/snippets/8/ works nicely, as the view function's
decorator will never have an effect before the ``before_request`` hooks are executed.
Reference in New Issue View Git Blame Copy Permalink