A Chrome update this week started giving our users warnings saying "The information you are about to submit is not secure" when they did something that caused the browser to make a POST request. It turned out that Chrome was complaining about the redirect following the POST being http instead of https. Our code creates a relative Location header for the redirect (which is permissable according to RFC 7231) and then Werkzeug "helpfully" makes an absolute url out of it using the url scheme that Werkzeug sees, which is http instead of https if you run the app behind nginx or a load balancer.
Werkzeug has several settings to control the behavior of responses, including one to turn off rewriting the Location header, and doing that fixed the Chrome warning.
A Chrome update this week started giving our users warnings saying "The information you are about to submit is not secure" when they did something that caused the browser to make a POST request. It turned out that Chrome was complaining about the redirect following the POST being http instead of https. Our code creates a relative
Location
header for the redirect (which is permissable according to RFC 7231) and then Werkzeug "helpfully" makes an absolute url out of it using the url scheme that Werkzeug sees, which is http instead of https if you run the app behind nginx or a load balancer.Werkzeug has several settings to control the behavior of responses, including one to turn off rewriting the
Location
header, and doing that fixed the Chrome warning.