Comments on: Securing Django with SSL

By: Vovk Donets

Vovk Donets — Fri, 27 Jan 2012 16:40:19 +0000

I have translated your post to russian language, i hope you dont mind =)

http://jetfix.ru/snippets/django-ssl-za-20/

By: Scot Hacker

Scot Hacker — Fri, 02 Sep 2011 01:13:55 +0000

Dave Brown – You need two separate vhosts – one for the SSL portion of the site and one for the non-SSL. The redirect should go ONLY in the non-SSL vhost container.

By: Scot Hacker

Scot Hacker — Fri, 02 Sep 2011 01:11:45 +0000

In the Apache example, you need the directive

RewriteEngine On

above the rule. Also, probably a bit cleaner to not hard-code the domain in there. So, this is what worked for me:

Location /admin
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
/Location

(angle brackets removed so this blog doesn’t strip them out)

By: How to force the use of SSL for some URL of my Django Application? - Admins Goodies

Sun, 21 Aug 2011 18:12:54 +0000

[...] http://www.redrobotstudios.com/blog/2009/02/18/securing-django-with-ssl/ [...]

By: Scott Barnham

Scott Barnham — Wed, 22 Jun 2011 10:00:57 +0000

It would be worth checking is_secure(), though if that’s always False, I’d expect it to keep redirecting to https, rather than bouncing back and forth between http and https. You can use something like assert False, request.is_secure() to check it. If is_secure() is always False, probably the environment variable isn’t getting set. This is how Django checks (from django/http/__init__.py):

    def is_secure(self):
        return os.environ.get("HTTPS") == "on"

I don’t use mod_wsgi, but found this: http://code.google.com/p/modwsgi/issues/detail?id=222

By: Dave Brown

Dave Brown — Tue, 21 Jun 2011 18:00:14 +0000

Great article Scott, thanks!

For the life of me, I cannot stop django from redirecting https back to http, after the http has been redirected to https (creating an infinite loop).

Any ideas? I’m using Django 1.3, and have tried your middleware along with others (thinking maybe it was the middleware). It seems maybe is_secure() isn’t returning true?

I’m just using apache (mod_wsgi), no reverse proxy or anything fancy. I can view non-django static files just fine through https.

By: Scott Barnham

Scott Barnham — Sun, 02 Jan 2011 09:18:23 +0000

Yes, you definitely need SSL if you’re taking credit card details from customers. If you’re doing embedded (“Pro”) PayPal integration, you’re supposed to comply with PCI-DSS standards which are a lot more strict than just using an SSL cert.

By: Rencontre

Rencontre — Sun, 02 Jan 2011 05:33:49 +0000

Hi,
I would like to ask : if you set a site to use, for example, Paypal in an embedded way (not the simple API that redirects to the Paypal site), would you need SSL ?
I have trouble with that. It is not very Django related but I am in the proces of thinking a new Django site…

By: How to force the use of SSL for some URL of my Django Application ? Drija

How to force the use of SSL for some URL of my Django Application ? Drija — Wed, 17 Nov 2010 08:25:03 +0000

[...] http://www.redrobotstudios.com/blog/2009/02/18/securing-django-with-ssl/ July 26, 2010 5:34 am Natim Maybe this is related : http://effbot.org/zone/django-multihost.htm October 10, 2009 4:00 am Graham Dumpleton Answers on StackOverflow at ‘http://stackoverflow.com/questions/1548210/how-to-force-the-use-of-ssl-for-some-url-of-my-django-application’. October 11, 2009 2:21 am [...]

By: Twitter Updates for 2010-02-06 | Red Robot Studios

Twitter Updates for 2010-02-06 | Red Robot Studios — Sat, 06 Feb 2010 14:14:28 +0000

[...] with my blog post: Securing Django with SSL ( http://www.redrobotstudios.com/blog/2009/02/18/securing-django-with-ssl/ ) [...]