How to disable SSL on certain views in Django? : Forums : PythonAnywhere

How to disable SSL on certain views in Django?

Hi there,

Recently, I have got my SSL certificate installed. Everything works just fine. But it prevents HTTP connections. My site, https://www.tefletonpost.com/digital_literacy/ , if I click on Read More button, the output is mixed content issue

which is expected. But my question is how to get around this issue? Can I disable SSL on certain views in Django? On researching, I found a similar question on stackoverflow https://stackoverflow.com/questions/34431487/how-do-you-disable-secure-ssl-redirect-for-some-views-in-django, but I don't know how to implement it at all. Please help!!!

deleted-user-3305157 | 9 posts | March 7, 2018, 5:08 a.m. | permalink

Are you sure it prevents http connections? It just warns about them.

If you want to get rid of the warning, you should load https://www.bbc.co.uk instead of http://www.bbc.co.uk?

conrad | 4232 posts | PythonAnywhere staff | March 7, 2018, 12:06 p.m. | permalink

Yes, it prevents http connections. For that please go to my site: https://www.tefletonpost.com/digital_literacy/ And try clicking "Read Here" button, see it does not show anything on the page but in the console, it produces that output. Actually, I want to show the content in iframe, so I am requesting for a link which is not https.

deleted-user-3305157 | 9 posts | March 7, 2018, 12:14 p.m. | permalink

Ah, I think I see the underlying problem here. You want to embed pages on your site, and they have HTTPS URLs, which you've embedded into your page. But when one actually visits those HTTPS URLs, they redirect to insecure HTTP ones, which triggers the security warning. So you need the views that embed those pages to be HTTP-only.

The first question is, are you currently forcing HTTPs by setting SECURE_SSL_REDIRECT to True in your Django settings? If so, you'll need to add the URLs on your site where you want to not force HTTPS to the SECURE_REDIRECT_EXEMPT list, as documented on the Stack Overflow page you linked to above.

Once that's done, it will be possible to access those views both over HTTP and HTTPS, which at least means that the page will sometimes work. The next step will be to make sure that if someone visits the page over HTTPS, they get redirected to the HTTP version of the site. You'll need to write code to do that: you can use the is_secure method on the request object), it sends back a response with a redirect to the non-secure version of the page.

giles | 12095 posts | PythonAnywhere staff | March 8, 2018, 1:23 p.m. | permalink