not-kennethreitz/flask-sslify
1
0
Fork 0
mirror of https://github.com/not-kennethreitz/flask-sslify.git synced 2026-06-05 15:00:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d8d94340743cfb127cff65dabf9f735bb768f143
flask-sslify/flask_sslify.py
T
Michael Tofias d8d9434074 Fixed current_app stuff which I took out b/c … ?
2015-03-31 12:28:32 -05:00

71 lines
2.3 KiB
Python
Raw Blame History

# -*- coding: utf-8 -*-
from flask import request, redirect, current_app
YEAR_IN_SECS = 31536000
class SSLify(object):
"""Secures your Flask App."""
def __init__(self, app, age=YEAR_IN_SECS, subdomains=False, permanent=False, skips=None):
if app is not None:
self.init_app(app)
self.app = app
self.hsts_age = age
self.hsts_include_subdomains = subdomains or app.config.get('SSL_SUBDOMAINS')
self.permanent = permanent or app.config.get('SSL_PERMANENT')
self.skip_list = skips or app.config.get('SSL_SKIPS')
self.init_app(self.app)
else:
self.app = None
def init_app(self, app):
"""Configures the configured Flask app to enforce SSL."""
app.before_request(self.redirect_to_ssl)
app.after_request(self.set_hsts_header)
@property
def hsts_header(self):
"""Returns the proper HSTS policy."""
hsts_policy = 'max-age={0}'.format(self.hsts_age)
if self.hsts_include_subdomains:
hsts_policy += '; includeSubDomains'
return hsts_policy
@property
def skip(self):
"""Checks the skip list."""
# Should we skip?
if self.skip_list and not isinstance(self.skip_list, basestring):
for skip in self.skip_list:
if request.path.startswith('/' + skip):
return True
def redirect_to_ssl(self):
"""Redirect incoming requests to HTTPS."""
# Should we redirect?
criteria = [
request.is_secure,
current_app.debug,
request.headers.get('X-Forwarded-Proto', 'http') == 'https'
]
if not any(criteria) and not self.skip:
if request.url.startswith('http://'):
url = request.url.replace('http://', 'https://', 1)
code = 302
if self.permanent:
code = 301
r = redirect(url, code=code)
return r
def set_hsts_header(self, response):
"""Adds HSTS header to each response."""
# Should we add STS header?
if request.is_secure and not self.skip:
response.headers.setdefault('Strict-Transport-Security', self.hsts_header)
return response
Reference in New Issue View Git Blame Copy Permalink