The other day I released bpssl which is a Django application that helps you support HTTPS on your website. The main functionality is performing redirection for HTTPS only URLs and views. For instance, if a request for your login view ‘/login’ is recieved over HTTP, the provided middleware can redirect the user to the equivalent HTTPS page.
Specifying views and urls as secure is supported as are flatpages. Fastcgi and HTTP proxy setups are also well supported.
Many people support this at the web server level but the pages that require SSL can change often and it is often easier to manage this at the application layer.
bpssl draws inspiration from the well known SSL Middleware snippets on http://www.djangosnippets.org . It roughly supports the features of the following snippets:
- http://djangosnippets.org/snippets/880/
- http://djangosnippets.org/snippets/240/
- http://djangosnippets.org/snippets/1999/
For the lazy
- Documentation
- Source Code (Holy crap! there are tests!)
Installation
First install the bpssl
package using PIP:
pip install bpssl
or easy_install:
easy_install bpssl
Next add 'beproud.django.ssl'
to your
INSTALLED_APPS
in your settings.py
.
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
# ...
'beproud.django.ssl',
# ...
)
Next add 'beproud.django.ssl.middleware.SSLRedirectMiddleware'
to your
MIDDLEWARE_CLASSES
setting.
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
# ...
'beproud.django.ssl.middleware.SSLRedirectMiddleware',
# ...
)
Finally add SSL_URLS to your settings. SSL_URLS is a list of regular expressions that match Urls.
SSL_URLS = (
'^/login/',
'^/purchase/'
# ...
)
Or if you prefer:
# In the age of Firesheep, you can never be too careful.
SSL_URLS = (
'.*',
)
There is also a ssl_view() decorator which allows you to attach redirection logic to individual views.
On the Django side this is all you need to setup and run bpssl. There is some setup required on the web server depending on your setup. Please check out the Documentation or Source Code for details.