A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from http://stackoverflow.com/questions/8436666/how-to-make-python-on-heroku-https-only below:

django - How to make python on Heroku https only?

Asked 13 years, 8 months ago

Viewed 22k times

I have python/django app on Heroku (Cedar stack) and would like to make it accessible over https only. I have enabled the "ssl piggyback"-option, and can connect to it via https.

But what is the best way to disable http access, or redirect to https?

asked Dec 8, 2011 at 19:41

KristianKristian

6,50744 gold badges3737 silver badges3737 bronze badges

Combining the answer from @CraigKerstiens and @allanlei into something I have tested, and verified to work. Heroku sets the HTTP_X_FORWARDED_PROTO to https when request is ssl, and we can use this to check:

from django.conf import settings
from django.http import HttpResponseRedirect


class SSLMiddleware(object):

    def process_request(self, request):
        if not any([settings.DEBUG, request.is_secure(), request.META.get("HTTP_X_FORWARDED_PROTO", "") == 'https']):
            url = request.build_absolute_uri(request.get_full_path())
            secure_url = url.replace("http://", "https://")
            return HttpResponseRedirect(secure_url)
Symmetric

4,77355 gold badges3737 silver badges5050 bronze badges

answered Feb 9, 2012 at 8:48

KristianKristian

6,50744 gold badges3737 silver badges3737 bronze badges

8

Django 1.8 will have core support for non-HTTPS redirect (integrated from django-secure):

SECURE_SSL_REDIRECT = True # [1]
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

In order for SECURE_SSL_REDIRECT to be handled you have to use the SecurityMiddleware:

MIDDLEWARE = [
    ...
    'django.middleware.security.SecurityMiddleware',
]

[1] https://docs.djangoproject.com/en/1.8/ref/settings/#secure-ssl-redirect

answered Oct 31, 2014 at 8:12

shangxiaoshangxiao

1,2091212 silver badges1111 bronze badges

7

Not sure if @CraigKerstiens's answer takes into account that request.is_secure() always returns False if behind Heroku's reverse proxy and not "fixed". If I remember correctly, this will cause a HTTP redirect loop.

If you are running Django with gunicorn, another way to do it is to add the following to gunicorn's config

secure_scheme_headers = {
    'X-FORWARDED-PROTO': 'https'
}

Run with some like this in your Procfile

web: python manage.py run_gunicorn -b 0.0.0.0:$PORT -c config/gunicorn.conf

By setting gunicorn's secure-scheme-header, request.is_secure() will properly return True on https requests. See Gunicorn Config.

Now @CraigKerstiens's middleware will work properly, including any calls to request.is_secure() in your app.

Note: Django also has the same config setting call SECURE_PROXY_SSL_HEADER, buts in the dev version.

answered Feb 9, 2012 at 3:10

Allan LeiAllan Lei

32844 silver badges66 bronze badges

2

What framework are you using for your application? If you're using Django you could simple use some middleware similar to:

import re

from django.conf import settings
from django.core import urlresolvers
from django.http import HttpResponse, HttpResponseRedirect


class SSLMiddleware(object):

    def process_request(self, request):
        if not any([settings.DEBUG, request.is_secure()]):
            url = request.build_absolute_uri(request.get_full_path())
            secure_url = url.replace("http://", "https://")
            return HttpResponseRedirect(secure_url)

answered Dec 8, 2011 at 19:46

CraigKerstiensCraigKerstiens

5,98911 gold badge2727 silver badges2929 bronze badges

2

2020 update:

If you are using Flask, I would recommend the following:

@app.before_request
def before_request():
    if 'DYNO' in os.environ:
        if request.url.startswith('http://'):
            url = request.url.replace('http://', 'https://', 1)
            code = 301
            return redirect(url, code=code)

The above works excellent on Heroku and allows you to use http in local development with heroku local.

Flask-SSLify is no longer maintained and no longer officially supported by the Flask community.

2014 original answer:

If you're using Flask, this works quite well:

  1. Do "pip install flask-sslify"

(github is here: https://github.com/kennethreitz/flask-sslify)

  1. Include the following lines:
from flask_sslify import SSLify
if 'DYNO' in os.environ: # only trigger SSLify if the app is running 
on Heroku
    sslify = SSLify(app)

answered Mar 3, 2014 at 2:24

Ryan SheaRyan Shea

4,30444 gold badges3434 silver badges3232 bronze badges

2

For Flask use Talisman. Flask, Heroku and SSLify documentations favor the use of Talisman over SSLify because the later is no longer maintained.

From SSLify:

The extension is no longer maintained, prefer using Flask-Talisman as it is encouraged by the Flask Security Guide.

Install via pip:

$ pip install flask-talisman

Instatiate the extension (example):

from flask import Flask
from flask_talisman import Talisman

app = Flask(__name__)
if 'DYNO' in os.environ:
    Talisman(app)

Talisman enables CSP (Content Security Policy) by default only allowing resources from the same domain to be loaded. If you want to disable it and deal with the implications:

Talisman(app, content_security_policy=None)

If you don't want to disable it you have to set the content_security_policy argument to allow resources from external domains, like CDNs, for instance. For that refer to the documentation.

answered May 19, 2021 at 22:37

Maicon MauricioMaicon Mauricio

3,21122 gold badges2525 silver badges4040 bronze badges

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4