ansaurus

Question

Django - links generated with {% url %} - how to make them secure?

Answer 1

A:

Perhaps you could write a tag url_https that does the same thing as url but points to the HTTPS version of the url.

Corey Porter 2009-11-23 20:15:54

Answer 2

+1 A:

I've not worked much with secure urls, but I have worked a bit with satchmo, which has a middleware and some utils for it. The middleware just checks for the key SSL = True in the view parameters, and makes the request secure that way. You probably don't need to make it that complex, but you can take a look at how it's implemented.

Satchmo is on bitbucked here

I was also able to find a snippets for middlewares which also should be able to help you get a secure login url:

The first is the original, while the 2nd should be ab improved version, at some point, but might not be the case anymore. You can take a look into them.

Using either satchmo or one of the middleware snippets you should be able to do something like

{% url login_page %}
{% url login_page SSL=1 %}

googletorp 2009-11-23 20:29:01

The linked snippets are a good comprehensive solution if you want to define certain URLs as https-only and then have a middleware take care of it from there. They're overkill if all you are trying to do is create an https link.

Carl Meyer 2009-11-23 22:17:15

True, for one link alone this is not worth it. In that case your solution is better.

googletorp 2009-11-24 06:27:30

Answer 3

+4 A:

The {% url %} tag only generates the path portion of the URL, not the host portion. It only generates something like "/path/to/here" (all you need to do is "view source" and you'll see that's the entire contents of the href). It's your browser that assumes if you're currently on http://example.com the link should also be within http://example.com. So all you need to do to generate a secure link in your template is:

<a href="https://example.com{% url blah %}">

If you don't want to hardcode the domain name (and I wouldn't), you can use the Site object and have it look something like:

<a href="https://{{ site.domain }}{% url blah %}">

Or if you don't want to use the sites framework, you can use request.get_host:

<a href="https://{{ request.get_host }}{% url blah %}">

Carl Meyer 2009-11-23 20:56:57

This has 1 disadvantage though; when/if I move the site to diffrent domain, or something like that, relative URLs won't break, this one will. I was looking for something more like request.build_absolute_uri() function with option to replace http with https, but I guess it's better to implement it by myself.

kender 2009-11-23 21:01:30

Well, there is no way to force https and use a relative URL. Edited to mention that you can use the Sites framework to avoid hardcoding the domain name.

Carl Meyer 2009-11-23 22:08:37

The above option using request.get_host is essentially doing the same thing as request.get_absolute_uri and forcing https.

Carl Meyer 2009-11-23 22:15:50

ansaurus

tags:

views:

answers:

Django - links generated with {% url %} - how to make them secure?

related questions