Using https as standard with django project

Question

I am learning django and trying to complete my first webapp.

I am using shopify api & boilder plate ( starter cod e) and am having an issue with the final step of auth.

Specifically, the redirect URL -- it's using HTTP:// when it should NOT and I don't know how to change it..

#in my view

def authenticate(request):

    shop = request.GET.get('shop')

    print('shop:', shop)
    if shop:
        scope = settings.SHOPIFY_API_SCOPE
        redirect_uri = request.build_absolute_uri(reverse('shopify_app_finalize')) #try this with new store url?
        print('redirect url', redirect_uri) # this equals http://myherokuapp.com/login/finalize/
        permission_url = shopify.Session(shop.strip()).create_permission_url(scope, redirect_uri)
        return redirect(permission_url)

    return redirect(_return_address(request))

Which is a problem because my app uses the Embedded Shopify SDK which causes this error to occur at the point of this request Refused to frame 'http://my.herokuapp.com/' because it violates the following Content Security Policy directive: "child-src 'self' https://* shopify-pos://*". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback. Refused to frame 'http://my.herokuapp.com/' because it violates the following Content Security Policy directive: "child-src 'self' https://* shopify-pos://*". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback.

How do i change the URL to use HTTPS?

Thank you so much in advance. Please let me know if I can share any other details but my code is practically identical to that starter code

Answer 1

This is what the Django doc says about build_absolute_uri :

Mixing HTTP and HTTPS on the same site is discouraged, therefore build_absolute_uri() will always generate an absolute URI with the same scheme the current request has. If you need to redirect users to HTTPS, it's best to let your Web server redirect all HTTP traffic to HTTPS.

So you can do two things:

1. Make sure your site runs entirely on HTTPS (preferred option): Setup your web server to use HTTPS, see the Heroku documentation on how to do this. Django will automatically use HTTPS for request.build_absolute_uri if the incoming request is on HTTPS. I'm not sure what gets passed in the shop parameter but if it contains personal data I'd suggest to use HTTPS anyway.

2. Create the URL yourself:

    url = "https://{host}{path}".format( host = request.get_host(), path = reverse('shopify_app_finalize')) 

   But you will still need to configure your server to accept incoming HTTPS requests.