Don't send HSTS headers over non-HTTPS connections

not-kennethreitz / flask-sslify

Force SSL on your Flask app.

https://pypi.python.org/pypi/Flask-SSLify

BSD 2-Clause "Simplified" License

504 stars 85 forks source link

Don't send HSTS headers over non-HTTPS connections #8

Closed nvie closed 10 years ago

nvie commented 12 years ago

This fixes #5.

kennethreitz commented 11 years ago

Thanks!

kennethreitz commented 11 years ago

Hmm, does it hurt to send them over regular connections?

nvie commented 11 years ago

Well, I suppose it doesn't hurt, no. But from the specs:

"Client implementations must not respect STS headers sent over non-HTTPS responses […]"

So it might be confusing to send them over non-secure connections. This is a bit more restricting, adding the header only to connections where it actually makes sense.

jparise commented 11 years ago

I'd actually go even further and apply the same criteria (e.g. non-debug mode) that the redirection code uses.

kennethreitz commented 10 years ago

Man, I have no idea why I didn't merge this.

nvie commented 10 years ago

LOL, :sparkles: :cake: :sparkles: anyway :)