forked from not-kennethreitz/flask-sslify
-
Notifications
You must be signed in to change notification settings - Fork 9
/
flask_sslify.py
96 lines (76 loc) · 2.85 KB
/
flask_sslify.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# -*- coding: utf-8 -*-
from flask import request, redirect, current_app
YEAR_IN_SECS = 31536000
class SSLify(object):
"""Secures your Flask App."""
def __init__(self, app=None, age=YEAR_IN_SECS, subdomains=False,
permanent=False, skips=None):
self.app = app or current_app
self.defaults = {
'subdomains': subdomains,
'permanent': permanent,
'skips': skips,
'age': age,
}
if app is not None:
self.init_app(app)
@property
def hsts_age(self):
return self.app.config['SSLIFY_AGE']
@property
def hsts_include_subdomains(self):
return self.app.config['SSLIFY_SUBDOMAINS']
@property
def permanent(self):
return self.app.config['SSLIFY_PERMANENT']
@property
def skip_list(self):
return self.app.config['SSLIFY_SKIPS']
def init_app(self, app):
"""Configures the specified Flask app to enforce SSL."""
app.config.setdefault('SSLIFY_AGE', self.defaults['age'])
app.config.setdefault('SSLIFY_SUBDOMAINS', self.defaults['subdomains'])
app.config.setdefault('SSLIFY_PERMANENT', self.defaults['permanent'])
app.config.setdefault('SSLIFY_SKIPS', self.defaults['skips'])
app.before_request(self.redirect_to_ssl)
app.after_request(self.set_hsts_header)
@property
def hsts_header(self):
"""Returns the proper HSTS policy."""
hsts_policy = 'max-age={0}'.format(self.hsts_age)
if self.hsts_include_subdomains:
hsts_policy += '; includeSubDomains'
return hsts_policy
@property
def skip(self):
"""Checks the skip list."""
# Should we skip?
if self.skip_list and isinstance(self.skip_list, list):
for skip in self.skip_list:
if request.path.startswith('/{0}'.format(skip)):
return True
return False
def redirect_to_ssl(self):
"""Redirect incoming requests to HTTPS."""
# Should we redirect?
criteria = [
request.is_secure,
current_app.debug,
current_app.testing,
request.headers.get('X-Forwarded-Proto', 'http') == 'https'
]
if not any(criteria) and not self.skip:
if request.url.startswith('http://'):
url = request.url.replace('http://', 'https://', 1)
code = 302
if self.permanent:
code = 301
r = redirect(url, code=code)
return r
def set_hsts_header(self, response):
"""Adds HSTS header to each response."""
# Should we add STS header?
if request.is_secure and not self.skip:
response.headers.setdefault(
'Strict-Transport-Security', self.hsts_header)
return response