Opened 7 years ago

Last modified 7 years ago

#28359 closed New feature

SecurityMiddleware's SECURE_SSL_HOST only affects unsecure requests — at Version 1

Reported by: Matthias Kestenholz Owned by: nobody
Component: HTTP handling Version: dev
Severity: Normal Keywords:
Cc: Carl Meyer Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Matthias Kestenholz)

For search engine optimization purposes it is preferable to have a single domain serving all requests. We have a custom middleware in most projects which handles this but dropped the middleware for sites using SSL:

from django.conf import settings
from django.http import HttpResponsePermanentRedirect


def force_domain(get_response):
    if settings.DEBUG or not settings.FORCE_DOMAIN:
        return get_response

    def middleware(request):
        if request.method != 'GET':
            return get_response(request)

        if request.get_host() != settings.FORCE_DOMAIN:
            target = 'http%s://%s%s' % (
                request.is_secure() and 's' or '',
                settings.FORCE_DOMAIN,
                request.get_full_path())
            return HttpResponsePermanentRedirect(target)

        return get_response(request)

    return middleware

We noticed today that setting SECURE_SSL_HOST = 'example.com' does not redirect requests to https://www.example.com

It seems to me that setting SECURE_SSL_REDIRECT and SECURE_SSL_HOST should also handle the case where 1. a request already uses a secure connection but 2. the host does not equal SECURE_SSL_HOST.

(Categorized as new feature because that's more fun.)

Change History (1)

comment:1 by Matthias Kestenholz, 7 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top