Mercurial > kallithea
changeset 3359:c394a564ab71 beta
make the htsts headers optional and stored in .ini file.
also don't use it with DEBUG
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Sun, 10 Feb 2013 20:35:35 +0100 |
parents | 321ca2e69004 |
children | 85f69bf84d95 |
files | development.ini production.ini rhodecode/config/deployment.ini_tmpl rhodecode/lib/middleware/https_fixup.py |
diffstat | 4 files changed, 19 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/development.ini Sun Feb 10 17:52:29 2013 +0100 +++ b/development.ini Sun Feb 10 20:35:35 2013 +0100 @@ -66,7 +66,10 @@ app_instance_uuid = rc-develop cut_off_limit = 256000 vcs_full_cache = True +# force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false +# use Strict-Transport-Security headers +use_htsts = false commit_parse_limit = 25 # number of items displayed in lightweight dashboard before paginating dashboard_items = 100
--- a/production.ini Sun Feb 10 17:52:29 2013 +0100 +++ b/production.ini Sun Feb 10 20:35:35 2013 +0100 @@ -66,7 +66,10 @@ app_instance_uuid = rc-production cut_off_limit = 256000 vcs_full_cache = True +# force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false +# use Strict-Transport-Security headers +use_htsts = false commit_parse_limit = 50 # number of items displayed in lightweight dashboard before paginating dashboard_items = 100
--- a/rhodecode/config/deployment.ini_tmpl Sun Feb 10 17:52:29 2013 +0100 +++ b/rhodecode/config/deployment.ini_tmpl Sun Feb 10 20:35:35 2013 +0100 @@ -66,7 +66,10 @@ app_instance_uuid = ${app_instance_uuid} cut_off_limit = 256000 vcs_full_cache = True +# force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false +# use Strict-Transport-Security headers +use_htsts = false commit_parse_limit = 50 # number of items displayed in lightweight dashboard before paginating dashboard_items = 100
--- a/rhodecode/lib/middleware/https_fixup.py Sun Feb 10 17:52:29 2013 +0100 +++ b/rhodecode/lib/middleware/https_fixup.py Sun Feb 10 20:35:35 2013 +0100 @@ -35,11 +35,16 @@ def __call__(self, environ, start_response): self.__fixup(environ) - req = Request(environ) - resp = req.get_response(self.application) - if environ['wsgi.url_scheme'] == 'https': - resp.headers['Strict-Transport-Security'] = 'max-age=8640000; includeSubDomains' - return resp(environ, start_response) + debug = str2bool(self.config.get('debug')) + if str2bool(self.config.get('use_htsts')) and not debug: + req = Request(environ, self.application) + resp = req.get_response(self.application) + if environ['wsgi.url_scheme'] == 'https': + resp.headers['Strict-Transport-Security'] = \ + 'max-age=8640000; includeSubDomains' + return resp(environ, start_response) + + return self.application(environ, start_response) def __fixup(self, environ): """