Fix HSTS header for HTTPS requests through proxy (#15)

wntrblm · Jan 10, 2018 · 29b4cfe · 29b4cfe
1 parent dccb5f0
commit 29b4cfe
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py
@@ -256,7 +256,11 @@ def _set_content_security_policy_headers(self, headers):
         headers['X-' + csp_header] = policy
 
     def _set_hsts_headers(self, headers):
-        if not self.strict_transport_security or not flask.request.is_secure:
+        criteria = [
+            flask.request.is_secure,
+            flask.request.headers.get('X-Forwarded-Proto', 'http') == 'https',
+        ]
+        if not self.strict_transport_security or not any(criteria):
             return
 
         value = 'max-age={}'.format(self.strict_transport_security_max_age)

diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py
@@ -85,8 +85,16 @@ def testHstsOptions(self):
         response = self.client.get('/', environ_overrides=HTTPS_ENVIRON)
         self.assertFalse('Strict-Transport-Security' in response.headers)
 
-        # No subdomains
+        # HSTS back on
         self.talisman.strict_transport_security = True
+
+        # HTTPS request through proxy
+        response = self.client.get('/', headers={
+            'X-Forwarded-Proto': 'https'
+        })
+        self.assertTrue('Strict-Transport-Security' in response.headers)
+
+        # No subdomains
         self.talisman.strict_transport_security_include_subdomains = False
         response = self.client.get('/', environ_overrides=HTTPS_ENVIRON)
         self.assertFalse(