UWSGI implement hsts on Heroku

428 views Asked by At

I've followed one of uwsgi's snippets to try to enable hsts. Here's my current configuration:

[uwsgi]
http-socket = :$(PORT)
master = true
processes = 4
die-on-term = true
module = webapp:app
memory-report = true
check-static = %v/webapp/static/
route= ^/?$ static:%v/webapp/static/pages/index.html

route-host = ^localhost:(?:[0-9]+)$ last:
route-if-not = equal:${HTTPS};on redirect-permanent:https://${HTTP_HOST}${REQUEST_URI}
route-if = equal:${HTTPS};on addheader:Strict-Transport-Security: max-age=31536000
route = .* last:

What I'm trying to do is enforce hsts for anything except localhost. The site works on localhost, but on heroku, requests to the home page don't get redirected at all, and requests to static assets get into an infinite loop where even https requests get redirected.

EDIT

The problem is that Heroku's load balancer doesn't connect securely to the dyno. Is there a way to route based on the X-Forwarded-Proto header, or based on the complete request url including protocol (so I could match it to ^https:)?

1

There are 1 answers

0
joerick On BEST ANSWER

This is working for me:

route-if = equal:${HTTP_X_FORWARDED_PROTO};http redirect-permanent:https://${HTTP_HOST}${REQUEST_URI}