Closed buckhx closed 8 years ago
This looks like a good feature. Would you mind rebasing your PR?
Merged and tried to match the pattern followed by the other args
I'd like to get @woodrow's input on this.
This seems fine, though I've got a couple of suggestions that might make this even more user-friendly:
werkzeug.exceptions.HTTPException
subclass that you could raise in order to provide an error message about the reason for the 403. The Stripe API has a good example of this:$ curl -i http://api.stripe.com
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: application/json
{
"error": {
"message" : "The Stripe API is only accessible over HTTPS. Please see <https://stripe.com/docs> for more information.",
"type": "invalid_request_error"
}
}
I don't think this is a good solution to the problem you are trying to solve. A 4xx response will have the same effect as a 3xx response if sensitive data was being sent in the original request.
Thanks for submitting it, though!
abort(403) if an HTTP connection is made when expecting HTTPS
This will force clients to use HTTPS. If they added auth credentials in the params or body they would have been visible from the initial insecure request.