Flask url_for generating http URL instead of https

Blaise picture Blaise · Feb 11, 2013 · Viewed 29.2k times · Source

I am using url_for to generate a redirect URL when a user has logged out:

return redirect(url_for('.index', _external=True))

However, when I changed the page to a https connection, the url_for still gives me http.

I would like to explicitly ask url_for to add https at the beginning of a URL.

Can you point me how to change it? I looked at Flask docs, without luck.

Answer

Markus Unterwaditzer picture Markus Unterwaditzer · Feb 27, 2013

With Flask 0.10, there will be a much better solution available than wrapping url_for. If you look at https://github.com/mitsuhiko/flask/commit/b5069d07a24a3c3a54fb056aa6f4076a0e7088c7, a _scheme parameter has been added. Which means you can do the following:

url_for('secure_thingy',
        _external=True,
        _scheme='https',
        viewarg1=1, ...)

_scheme sets the URL scheme, generating a URL like https://.. instead of http://. However, by default Flask only generates paths (without host or scheme), so you will need to include the _external=True to go from /secure_thingy to https://example.com/secure_thingy.


However, consider making your website HTTPS-only instead. It seems that you're trying to partially enforce HTTPS for only a few "secure" routes, but you can't ensure that your https-URL is not changed if the page linking to the secure page is not encrypted. This is similar to mixed content.