pyramid_hsts 1.2.1

Enforce [HTTP Strict Transport Security][] for a [Pyramid][] web application.

### Features

• adds a Strict-Transport-Security header to every response

• redirects requests with an insecure protocol to the corresponding secure protocol, i.e.: from http://… to https://…

• ensures urls generated by request.*_url methods (e.g.: request.route_url) use a secure protocol

### Usage

To use, pip install pyramid_hsts / add pyramid_hsts to your requirements.txt and then [include][] the package:

config.include(‘pyramid_hsts’)

### Configuration

If you’re running behind a frontend that proxies secure requests to your app on an insecure protocol (e.g.: on Heroku or a common Nginx setup) then it is common practice for the frontend to set a header indicating the original prototcol. To read this, you need to [specify][] the name of the protocol_header:

# must be specified if behind proxy hsts.protocol_header=X-Forwarded-Proto

You can also specify the max_age of and whether to include_subdomains in your HSTS header, e.g.:

# defaults to 10886400 hsts.max_age=21772800

# both default to true hsts.include_subdomains=false hsts.preload=false

[HTTP Strict Transport Security]: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security [Pyramid]: http://pypi.python.org/pypi/pyramid [include]: http://docs.pylonsproject.org/projects/pyramid/en/latest/api/config.html#pyramid.config.Configurator.include [specify]: http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/environment.html#adding-a-custom-setting