Enforce HTTP Strict Transport Security for a Pyramid web application.
- adds a
Strict-Transport-Securityheader to every response - redirects requests with an insecure protocol to the corresponding secure
protocol, i.e.: from
http://...tohttps://... - ensures urls generated by
request.*_urlmethods (e.g.:request.route_url) use a secure protocol
To use, pip install pyramid_hsts / add pyramid_hsts to your requirements.txt
and then include the package:
config.include('pyramid_hsts')
If you're running behind a frontend that proxies secure requests to your app on
an insecure protocol (e.g.: on Heroku or a common Nginx setup) then it is common
practice for the frontend to set a header indicating the original prototcol. To
read this, you need to specify the name of the protocol_header:
# must be specified if behind proxy
hsts.protocol_header=X-Forwarded-Proto
You can also specify the max_age of and whether to include_subdomains in your
HSTS header, e.g.:
# defaults to 10886400
hsts.max_age=21772800
# both default to true
hsts.include_subdomains=false
hsts.preload=false