(Yes, I know “TLS” would be more accurate. Deal with it.)

WSGI middleware to redirect all incoming HTTP requests to HTTPS. Inspired by djangosecure and flask-sslify, except for raw WSGI apps.


I was using static, and I wanted to force SSL. It was hard. So I made it easy:

app = sslify(static.Cling('content/'))


It really is that easy; just wrap your app with sslify:

from somewhere import my_wsgi_app
from wsgi_sslify import sslify

app = sslify(my_wsgi_app)


You can pass some keyword arguments to sslify to control its behavior:

  • hsts (default: True) - set a Strict-Transport-Security header, which instructs browsers to always use HTTPS. See OWASP for more details on HSTS.

  • max_age (default: one year) - length, in seconds, for browsers to force HTTPS.

  • subdomains (default: False) - force HTTPS for all subdomains, too.

  • permanent (default: True) - issue a permanent (HTTP 301) redirect. If False, issue a temporary (HTTP 302) redirect.

  • proxy_header (default: X-Forwarded-Proto) - for services behind a proxy, this is the name of the header that contains the real request scheme.


Testing: use py.test.

Contributing: send me pull requests.

Related Repositories

Top Contributors

jacobian alex