# HG changeset patch # User Marcin Kuzminski # Date 2013-02-10 19:35:35 # Node ID c394a564ab714d5342ff7c61f17c6ea3062946bc # Parent 321ca2e69004c040ada1bcaa7689ce9e5d87672a make the htsts headers optional and stored in .ini file. also don't use it with DEBUG diff --git a/development.ini b/development.ini --- a/development.ini +++ b/development.ini @@ -66,7 +66,10 @@ index_dir = %(here)s/data/index app_instance_uuid = rc-develop cut_off_limit = 256000 vcs_full_cache = True +# force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false +# use Strict-Transport-Security headers +use_htsts = false commit_parse_limit = 25 # number of items displayed in lightweight dashboard before paginating dashboard_items = 100 diff --git a/production.ini b/production.ini --- a/production.ini +++ b/production.ini @@ -66,7 +66,10 @@ index_dir = %(here)s/data/index app_instance_uuid = rc-production cut_off_limit = 256000 vcs_full_cache = True +# force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false +# use Strict-Transport-Security headers +use_htsts = false commit_parse_limit = 50 # number of items displayed in lightweight dashboard before paginating dashboard_items = 100 diff --git a/rhodecode/config/deployment.ini_tmpl b/rhodecode/config/deployment.ini_tmpl --- a/rhodecode/config/deployment.ini_tmpl +++ b/rhodecode/config/deployment.ini_tmpl @@ -66,7 +66,10 @@ index_dir = %(here)s/data/index app_instance_uuid = ${app_instance_uuid} cut_off_limit = 256000 vcs_full_cache = True +# force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false +# use Strict-Transport-Security headers +use_htsts = false commit_parse_limit = 50 # number of items displayed in lightweight dashboard before paginating dashboard_items = 100 diff --git a/rhodecode/lib/middleware/https_fixup.py b/rhodecode/lib/middleware/https_fixup.py --- a/rhodecode/lib/middleware/https_fixup.py +++ b/rhodecode/lib/middleware/https_fixup.py @@ -35,11 +35,16 @@ class HttpsFixup(object): def __call__(self, environ, start_response): self.__fixup(environ) - req = Request(environ) - resp = req.get_response(self.application) - if environ['wsgi.url_scheme'] == 'https': - resp.headers['Strict-Transport-Security'] = 'max-age=8640000; includeSubDomains' - return resp(environ, start_response) + debug = str2bool(self.config.get('debug')) + if str2bool(self.config.get('use_htsts')) and not debug: + req = Request(environ, self.application) + resp = req.get_response(self.application) + if environ['wsgi.url_scheme'] == 'https': + resp.headers['Strict-Transport-Security'] = \ + 'max-age=8640000; includeSubDomains' + return resp(environ, start_response) + + return self.application(environ, start_response) def __fixup(self, environ): """