HTTP Strict Transport Security for a Pyramid application.
Project description
Enforce [HTTP Strict Transport Security][] for a [Pyramid][] web application.
### Features
adds a Strict-Transport-Security header to every response
redirects requests with an insecure protocol to the corresponding secure protocol, i.e.: from http://… to https://…
ensures urls generated by request.*_url methods (e.g.: request.route_url) use a secure protocol
### Usage
To use, pip install pyramid_hsts / add pyramid_hsts to your requirements.txt and then [include][] the package:
config.include(‘pyramid_hsts’)
### Configuration
If you’re running behind a frontend that proxies secure requests to your app on an insecure protocol (e.g.: on Heroku or a common Nginx setup) then it is common practice for the frontend to set a header indicating the original prototcol. To read this, you need to [specify][] the name of the protocol_header:
# must be specified if behind proxy hsts.protocol_header=X-Forwarded-Proto
You can also specify the max_age of and whether to include_subdomains in your HSTS header, e.g.:
# defaults to 8640000 hsts.max_age=4320000
# defaults to true hsts.include_subdomains=false
[HTTP Strict Transport Security]: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security [Pyramid]: http://pypi.python.org/pypi/pyramid [include]: http://docs.pylonsproject.org/projects/pyramid/en/latest/api/config.html#pyramid.config.Configurator.include [specify]: http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/environment.html#adding-a-custom-setting
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.