HSTS
Version 1
This documentation refers to the version 1.x of the web framework.
The current version of the main branch is documented here.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a standard feature used to instruct clients that a site should only be accessed using HTTPS, and any attempt to access it using HTTP should be converted automatically to HTTPS.
BlackSheep offers a middleware to configure HTTP Strict-Transport-Security response header globally. This page explains how to use the built-in middleware to enforce HSTS on a web application.
Enabling HSTS¶
from blacksheep import Application
from blacksheep.server.env import is_development
from blacksheep.server.security.hsts import HSTSMiddleware
app = Application()
if not is_development():
app.middlewares.append(HSTSMiddleware())
Considerations for local development
It is generally undesirable enabling HSTS during local development, since
browsers get instructed to require HTTPS for all traffic on localhost.
This is why the example above configures the middleware only if the
application is not running for development.
See Defining application environment
for more information.
Options¶
| Option | Type | Description |
|---|---|---|
| max_age | int |
Control the max-age directive of the HSTS header (default 31536000) |
| include_subdomains | bool |
Control the include-subdomains directive of the HSTS header (default false) |
For more information¶
For more information on HTTP Strict Transport Security, it is recommended to refer to the developer.mozilla.org documentation.
Last modified on: 2023-04-17 19:20:50