I've followed one of uwsgi's snippets to try to enable hsts. Here's my current configuration:
[uwsgi]
http-socket = :$(PORT)
master = true
processes = 4
die-on-term = true
module = webapp:app
memory-report = true
check-static = %v/webapp/static/
route= ^/?$ static:%v/webapp/static/pages/index.html
route-host = ^localhost:(?:[0-9]+)$ last:
route-if-not = equal:${HTTPS};on redirect-permanent:https://${HTTP_HOST}${REQUEST_URI}
route-if = equal:${HTTPS};on addheader:Strict-Transport-Security: max-age=31536000
route = .* last:
What I'm trying to do is enforce hsts for anything except localhost. The site works on localhost, but on heroku, requests to the home page don't get redirected at all, and requests to static assets get into an infinite loop where even https requests get redirected.
The problem is that Heroku's load balancer doesn't connect securely to the dyno. Is there a way to route based on the X-Forwarded-Proto
header, or based on the complete request url including protocol (so I could match it to ^https:
)?
This is working for me:
route-if = equal:${HTTP_X_FORWARDED_PROTO};http redirect-permanent:https://${HTTP_HOST}${REQUEST_URI}