allow abort

[buckhx]

abort(403) if an HTTP connection is made when expecting HTTPS

This will force clients to use HTTPS. If they added auth credentials in the params or body they would have been visible from the initial insecure request.

[ryan-lane]

This looks like a good feature. Would you mind rebasing your PR?

[buckhx]

Merged and tried to match the pattern followed by the other args

[ryan-lane]

I'd like to get @woodrow's input on this.

[woodrow]

This seems fine, though I've got a couple of suggestions that might make this even more user-friendly:

• Can you add a section to the README about this option?
• If one is handling credentials that are so sensitive that they should never be transmitted in the clear, then it would be better to configure your web server to listen on port 443 only. I understand that many people may be using this in environments where that's not an option (e.g. Heroku) but it might be good to mention this in the README.
• A 403 with no error message other than "Forbidden" may not make it clear to API users why their API call is failing. It would be awesome if you could define a new werkzeug.exceptions.HTTPException subclass that you could raise in order to provide an error message about the reason for the 403. The Stripe API has a good example of this:

$ curl -i http://api.stripe.com
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: application/json

{
  "error": {
    "message" : "The Stripe API is only accessible over HTTPS.  Please see <https://stripe.com/docs> for more information.",
    "type": "invalid_request_error"
  }
}

[kennethreitz]

I don't think this is a good solution to the problem you are trying to solve. A 4xx response will have the same effect as a 3xx response if sensitive data was being sent in the original request.

Thanks for submitting it, though!