HTTP to HTTPS Redirects#
When serving over HTTPS it is often desired (and wise) to redirect any
HTTP requests to HTTPS. To do this Hypercorn must listen to requests
on secure and insecure binds. This is possible using the
insecure-bind option which specifies binds that will be insecure
regardless of the SSL settings. For example,
$ hypercorn --certfile cert.pem --keyfile key.pem --bind localhost:443 --insecure-bind localhost:80 module:app
will serve on 443 over HTTPS and 80 over HTTP.
Care must be taken when serving over secure and insecure binds to ensure that only redirects are served over HTTP. Hypercorn will not and cannot ensure this for you.
With Hypercorn listening on both secure and insecure binds middleware
such as the one in the hypercorn middleware module,
HTTPToHTTPSRedirectMiddleware, can be
used to ensure HTTP requests are redirected to HTTPS. Alternatively
you can do this directly in your ASGI application.
Ensure that any redirection middleware is the outermost wrapper of your app i.e. ensure that only the redirection middleware receives HTTP requests.
To use the
HTTPToHTTPSRedirectMiddleware wrap your app and specify
the host the redirects should be aimed at. If you want to redirect
https://example.com the host should
example.com as in the example below,
redirected_app = HTTPToHTTPSRedirectMiddleware(app, host="example.com")
You can then serve the redirect_app over a secure and an insecure bind as explained above, for example,
$ hypercorn --certfile cert.pem --keyfile key.pem --bind localhost:443 --insecure-bind localhost:80 module:redirected_app