plain 0.7.0__tar.gz → 0.8.1__tar.gz

{plain-0.7.0 → plain-0.8.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.7.0
+Version: 0.8.1
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev
@@ -8,6 +8,7 @@ Requires-Python: >=3.11,<4.0
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: click (>=8.0.0)
 Requires-Dist: jinja2 (>=3.1.2,<4.0.0)
 Requires-Dist: python-dotenv (>=1.0.0,<2.0.0)

{plain-0.7.0 → plain-0.8.1}/plain/cli/cli.py

@@ -251,7 +251,7 @@ def preflight_checks(package_label, deploy, fail_level, databases):
             msg = header + body + footer
             click.echo(msg, err=True)
         else:
-            click.echo("Preflight check identified no issues.", err=True)
+            click.secho("✔ Preflight check identified no issues.", err=True, fg="green")
 
 
 @plain_cli.command()

{plain-0.7.0 → plain-0.8.1}/plain/csrf/middleware.py

@@ -9,7 +9,7 @@ import string
 from collections import defaultdict
 from urllib.parse import urlparse
 
-from plain.exceptions import DisallowedHost, ImproperlyConfigured
+from plain.exceptions import DisallowedHost
 from plain.http import HttpHeaders, UnreadablePostError
 from plain.logs import log_response
 from plain.runtime import settings
@@ -242,44 +242,31 @@ class CsrfViewMiddleware:
         If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if
         the request's secret has invalid characters or an invalid length.
         """
-        if settings.CSRF_USE_SESSIONS:
-            try:
-                csrf_secret = request.session.get(CSRF_SESSION_KEY)
-            except AttributeError:
-                raise ImproperlyConfigured(
-                    "CSRF_USE_SESSIONS is enabled, but request.session is not "
-                    "set. SessionMiddleware must appear before CsrfViewMiddleware "
-                    "in MIDDLEWARE."
-                )
+        try:
+            csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
+        except KeyError:
+            csrf_secret = None
         else:
-            try:
-                csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
-            except KeyError:
-                csrf_secret = None
-            else:
-                # This can raise InvalidTokenFormat.
-                _check_token_format(csrf_secret)
+            # This can raise InvalidTokenFormat.
+            _check_token_format(csrf_secret)
+
         if csrf_secret is None:
             return None
         return csrf_secret
 
     def _set_csrf_cookie(self, request, response):
-        if settings.CSRF_USE_SESSIONS:
-            if request.session.get(CSRF_SESSION_KEY) != request.META["CSRF_COOKIE"]:
-                request.session[CSRF_SESSION_KEY] = request.META["CSRF_COOKIE"]
-        else:
-            response.set_cookie(
-                settings.CSRF_COOKIE_NAME,
-                request.META["CSRF_COOKIE"],
-                max_age=settings.CSRF_COOKIE_AGE,
-                domain=settings.CSRF_COOKIE_DOMAIN,
-                path=settings.CSRF_COOKIE_PATH,
-                secure=settings.CSRF_COOKIE_SECURE,
-                httponly=settings.CSRF_COOKIE_HTTPONLY,
-                samesite=settings.CSRF_COOKIE_SAMESITE,
-            )
-            # Set the Vary header since content varies with the CSRF cookie.
-            patch_vary_headers(response, ("Cookie",))
+        response.set_cookie(
+            settings.CSRF_COOKIE_NAME,
+            request.META["CSRF_COOKIE"],
+            max_age=settings.CSRF_COOKIE_AGE,
+            domain=settings.CSRF_COOKIE_DOMAIN,
+            path=settings.CSRF_COOKIE_PATH,
+            secure=settings.CSRF_COOKIE_SECURE,
+            httponly=settings.CSRF_COOKIE_HTTPONLY,
+            samesite=settings.CSRF_COOKIE_SAMESITE,
+        )
+        # Set the Vary header since content varies with the CSRF cookie.
+        patch_vary_headers(response, ("Cookie",))
 
     def _origin_verified(self, request):
         request_origin = request.META["HTTP_ORIGIN"]
@@ -289,7 +276,7 @@ class CsrfViewMiddleware:
             pass
         else:
             good_origin = "{}://{}".format(
-                "https" if request.is_secure() else "http",
+                "https" if request.is_https() else "http",
                 good_host,
             )
             if request_origin == good_origin:
@@ -331,11 +318,7 @@ class CsrfViewMiddleware:
         ):
             return
         # Allow matching the configured cookie domain.
-        good_referer = (
-            settings.SESSION_COOKIE_DOMAIN
-            if settings.CSRF_USE_SESSIONS
-            else settings.CSRF_COOKIE_DOMAIN
-        )
+        good_referer = settings.CSRF_COOKIE_DOMAIN
         if good_referer is None:
             # If no cookie domain is configured, allow matching the current
             # host:port exactly if it's permitted by ALLOWED_HOSTS.
@@ -435,7 +418,7 @@ class CsrfViewMiddleware:
                 return self._reject(
                     request, REASON_BAD_ORIGIN % request.META["HTTP_ORIGIN"]
                 )
-        elif request.is_secure():
+        elif request.is_https():
             # If the Origin header wasn't provided, reject HTTPS requests if
             # the Referer header doesn't match an allowed value.
             #

{plain-0.7.0 → plain-0.8.1}/plain/http/request.py

@@ -140,7 +140,7 @@ class HttpRequest:
             # Reconstruct the host using the algorithm from PEP 333.
             host = self.META["SERVER_NAME"]
             server_port = self.get_port()
-            if server_port != ("443" if self.is_secure() else "80"):
+            if server_port != ("443" if self.is_https() else "80"):
                 host = f"{host}:{server_port}"
         return host
 
@@ -281,7 +281,7 @@ class HttpRequest:
                 return "https" if header_value.strip() == secure_value else "http"
         return self._get_scheme()
 
-    def is_secure(self):
+    def is_https(self):
         return self.scheme == "https"
 
     @property

{plain-0.7.0 → plain-0.8.1}/plain/internal/handlers/base.py

@@ -13,6 +13,15 @@ from .exception import convert_exception_to_response
 logger = logging.getLogger("plain.request")
 
 
+# These middleware classes are always used by Plain.
+BUILTIN_MIDDLEWARE = [
+    "plain.internal.middleware.headers.DefaultHeadersMiddleware",
+    "plain.internal.middleware.https.HttpsRedirectMiddleware",
+    "plain.internal.middleware.slash.RedirectSlashMiddleware",
+    "plain.csrf.middleware.CsrfViewMiddleware",
+]
+
+
 class BaseHandler:
     _view_middleware = None
     _middleware_chain = None
@@ -27,7 +36,10 @@ class BaseHandler:
 
         get_response = self._get_response
         handler = convert_exception_to_response(get_response)
-        for middleware_path in reversed(settings.MIDDLEWARE):
+
+        middlewares = reversed(BUILTIN_MIDDLEWARE + settings.MIDDLEWARE)
+
+        for middleware_path in middlewares:
             middleware = import_string(middleware_path)
             mw_instance = middleware(handler)
 

plain-0.8.1/plain/internal/middleware/headers.py

@@ -0,0 +1,19 @@
+from plain.runtime import settings
+
+
+class DefaultHeadersMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+
+        for header, value in settings.DEFAULT_RESPONSE_HEADERS.items():
+            response.headers.setdefault(header, value)
+
+        # Add the Content-Length header to non-streaming responses if not
+        # already set.
+        if not response.streaming and not response.has_header("Content-Length"):
+            response.headers["Content-Length"] = str(len(response.content))
+
+        return response

plain-0.8.1/plain/internal/middleware/https.py

@@ -0,0 +1,36 @@
+import re
+
+from plain.http import ResponsePermanentRedirect
+from plain.runtime import settings
+
+
+class HttpsRedirectMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+        # Settings for https (compile regexes once)
+        self.https_redirect_enabled = settings.HTTPS_REDIRECT_ENABLED
+        self.https_redirect_host = settings.HTTPS_REDIRECT_HOST
+        self.https_redirect_exempt = [
+            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT
+        ]
+
+    def __call__(self, request):
+        """
+        Rewrite the URL based on settings.APPEND_SLASH
+        """
+
+        if redirect_response := self.maybe_https_redirect(request):
+            return redirect_response
+
+        return self.get_response(request)
+
+    def maybe_https_redirect(self, request):
+        path = request.path.lstrip("/")
+        if (
+            self.https_redirect_enabled
+            and not request.is_https()
+            and not any(pattern.search(path) for pattern in self.https_redirect_exempt)
+        ):
+            host = self.https_redirect_host or request.get_host()
+            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")

plain-0.7.0/plain/middleware/common.py → plain-0.8.1/plain/internal/middleware/slash.py

@@ -4,25 +4,7 @@ from plain.urls import is_valid_path
 from plain.utils.http import escape_leading_slashes
 
 
-class CommonMiddleware:
-    """
-    "Common" middleware for taking care of some basic operations:
-
-        - URL rewriting: Based on the APPEND_SLASH setting,
-          append missing slashes.
-
-            - If APPEND_SLASH is set and the initial URL doesn't end with a
-              slash, and it is not found in urlpatterns, form a new URL by
-              appending a slash at the end. If this new URL is found in
-              urlpatterns, return an HTTP redirect to this new URL; otherwise
-              process the initial URL as usual.
-
-          This behavior can be customized by subclassing CommonMiddleware and
-          overriding the response_redirect_class attribute.
-    """
-
-    response_redirect_class = ResponsePermanentRedirect
-
+class RedirectSlashMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
@@ -40,12 +22,7 @@ class CommonMiddleware:
         # If the given URL is "Not Found", then check if we should redirect to
         # a path with a slash appended.
         if response.status_code == 404 and self.should_redirect_with_slash(request):
-            return self.response_redirect_class(self.get_full_path_with_slash(request))
-
-        # Add the Content-Length header to non-streaming responses if not
-        # already set.
-        if not response.streaming and not response.has_header("Content-Length"):
-            response.headers["Content-Length"] = str(len(response.content))
+            return ResponsePermanentRedirect(self.get_full_path_with_slash(request))
 
         return response
 

{plain-0.7.0 → plain-0.8.1}/plain/preflight/security/base.py

@@ -16,17 +16,18 @@ SECRET_KEY_WARNING_MSG = (
     f"vulnerable to attack."
 )
 
+# TODO
 W001 = Warning(
-    "You do not have 'plain.middleware.security.SecurityMiddleware' "
+    "You do not have 'plain.middleware.https.HttpsRedirectMiddleware' "
     "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
     "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
+    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and HTTPS_REDIRECT_ENABLED settings will "
     "have no effect.",
     id="security.W001",
 )
 
 W008 = Warning(
-    "Your SECURE_SSL_REDIRECT setting is not set to True. "
+    "Your HTTPS_REDIRECT_ENABLED setting is not set to True. "
     "Unless your site should be available over both SSL and non-SSL "
     "connections, you may want to either set this setting True "
     "or configure a load balancer or reverse-proxy server "
@@ -52,22 +53,6 @@ W020 = Warning(
 W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
 
 
-def _security_middleware():
-    return "plain.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
-
-
-@register(deploy=True)
-def check_security_middleware(package_configs, **kwargs):
-    passed_check = _security_middleware()
-    return [] if passed_check else [W001]
-
-
-@register(deploy=True)
-def check_ssl_redirect(package_configs, **kwargs):
-    passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
-    return [] if passed_check else [W008]
-
-
 def _check_secret_key(secret_key):
     return (
         len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS

{plain-0.7.0 → plain-0.8.1}/plain/preflight/security/csrf.py

@@ -32,9 +32,5 @@ def check_csrf_middleware(package_configs, **kwargs):
 
 @register(deploy=True)
 def check_csrf_cookie_secure(package_configs, **kwargs):
-    passed_check = (
-        settings.CSRF_USE_SESSIONS
-        or not _csrf_middleware()
-        or settings.CSRF_COOKIE_SECURE is True
-    )
+    passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True
     return [] if passed_check else [W016]

{plain-0.7.0 → plain-0.8.1}/plain/runtime/README.md

@@ -54,10 +54,7 @@ SECRET_KEY = environ["SECRET_KEY"]
 DEBUG = environ.get("DEBUG", "false").lower() in ("true", "1", "yes")
 
 MIDDLEWARE = [
-    "plain.middleware.security.SecurityMiddleware",
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.middleware.common.CommonMiddleware",
-    "plain.csrf.middleware.CsrfViewMiddleware",
     "plain.auth.middleware.AuthenticationMiddleware",
 ]
 

{plain-0.7.0 → plain-0.8.1}/plain/runtime/global_settings.py

@@ -29,11 +29,27 @@ TIME_ZONE: str = "UTC"
 DEFAULT_CHARSET = "utf-8"
 
 # List of strings representing installed packages.
-INSTALLED_PACKAGES: list = []
+INSTALLED_PACKAGES: list[str] = []
 
 # Whether to append trailing slashes to URLs.
 APPEND_SLASH = True
 
+# Default headers for all responses.
+DEFAULT_RESPONSE_HEADERS = {
+    # "Content-Security-Policy": "default-src 'self'",
+    # https://hstspreload.org/
+    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+    "Cross-Origin-Opener-Policy": "same-origin",
+    "Referrer-Policy": "same-origin",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+}
+
+# Whether to redirect all non-HTTPS requests to HTTPS.
+HTTPS_REDIRECT_ENABLED = True
+HTTPS_REDIRECT_EXEMPT = []
+HTTPS_REDIRECT_HOST = None
+
 # A secret key for this particular Plain installation. Used in secret-key
 # hashing algorithms. Set this in your settings, or Plain will complain
 # loudly.
@@ -82,7 +98,7 @@ HTTP_ERROR_VIEWS: dict[int] = {}
 # connections, AND that proxy ensures that user-submitted headers with the
 # same name are ignored (so that people can't spoof it), set this value to
 # a tuple of (header_name, header_value). For any requests that come in with
-# that header/value, request.is_secure() will return True.
+# that header/value, request.is_https() will return True.
 # WARNING! Only set this if you fully understand what you're doing. Otherwise,
 # you may be opening yourself up to a security risk.
 SECURE_PROXY_SSL_HEADER = None
@@ -94,11 +110,7 @@ SECURE_PROXY_SSL_HEADER = None
 # List of middleware to use. Order is important; in the request phase, these
 # middleware will be applied in the order given, and in the response
 # phase the middleware will be applied in reverse order.
-MIDDLEWARE = [
-    "plain.middleware.security.SecurityMiddleware",
-    "plain.middleware.common.CommonMiddleware",
-    "plain.csrf.middleware.CsrfViewMiddleware",
-]
+MIDDLEWARE: list[str] = []
 
 ###########
 # SIGNING #
@@ -120,7 +132,6 @@ CSRF_COOKIE_HTTPONLY = False
 CSRF_COOKIE_SAMESITE = "Lax"
 CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
 CSRF_TRUSTED_ORIGINS: list[str] = []
-CSRF_USE_SESSIONS = False
 
 ###########
 # LOGGING #
@@ -150,23 +161,6 @@ ASSETS_BASE_URL: str = ""
 # message, but Plain will not stop you from e.g. running server.
 SILENCED_PREFLIGHT_CHECKS = []
 
-#######################
-# SECURITY MIDDLEWARE #
-#######################
-SECURE_REDIRECT_EXEMPT = []
-SECURE_SSL_HOST = None
-SECURE_SSL_REDIRECT = True
-
-SECURE_DEFAULT_HEADERS = {
-    # "Content-Security-Policy": "default-src 'self'",
-    # https://hstspreload.org/
-    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
-    "Cross-Origin-Opener-Policy": "same-origin",
-    "Referrer-Policy": "same-origin",
-    "X-Content-Type-Options": "nosniff",
-    "X-Frame-Options": "DENY",
-}
-
 #############
 # Templates #
 #############

{plain-0.7.0 → plain-0.8.1}/plain/test/client.py

@@ -379,7 +379,7 @@ class RequestFactory:
         # Refs comment in `get_bytes_from_wsgi()`.
         return path.decode("iso-8859-1")
 
-    def get(self, path, data=None, secure=False, *, headers=None, **extra):
+    def get(self, path, data=None, secure=True, *, headers=None, **extra):
         """Construct a GET request."""
         data = {} if data is None else data
         return self.generic(
@@ -398,7 +398,7 @@ class RequestFactory:
         path,
         data=None,
         content_type=MULTIPART_CONTENT,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -417,7 +417,7 @@ class RequestFactory:
             **extra,
         )
 
-    def head(self, path, data=None, secure=False, *, headers=None, **extra):
+    def head(self, path, data=None, secure=True, *, headers=None, **extra):
         """Construct a HEAD request."""
         data = {} if data is None else data
         return self.generic(
@@ -431,7 +431,7 @@ class RequestFactory:
             },
         )
 
-    def trace(self, path, secure=False, *, headers=None, **extra):
+    def trace(self, path, secure=True, *, headers=None, **extra):
         """Construct a TRACE request."""
         return self.generic("TRACE", path, secure=secure, headers=headers, **extra)
 
@@ -440,7 +440,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -455,7 +455,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -471,7 +471,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -487,7 +487,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -504,7 +504,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -704,7 +704,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data=None,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -725,7 +725,7 @@ class Client(ClientMixin, RequestFactory):
         data=None,
         content_type=MULTIPART_CONTENT,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -752,7 +752,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data=None,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -775,7 +775,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -803,7 +803,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -831,7 +831,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -859,7 +859,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -886,7 +886,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data="",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,

{plain-0.7.0 → plain-0.8.1}/plain/views/base.py

@@ -15,6 +15,10 @@ logger = logging.getLogger("plain.request")
 
 
 class View:
+    request: HttpRequest
+    url_args: tuple
+    url_kwargs: dict
+
     def __init__(self, *args, **kwargs) -> None:
         # Views can customize their init, which receives
         # the args and kwargs from as_view()

{plain-0.7.0 → plain-0.8.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "plain"
-version = "0.7.0"
+version = "0.8.1"
 description = "A web framework for building products with Python."
 authors = ["Dave Gaeddert <dave.gaeddert@dropseed.dev>"]
 readme = "README.md"

plain-0.7.0/plain/middleware/README.md

@@ -1,3 +0,0 @@
-# Middleware
-
-Hook into the request/response cycle.

plain-0.7.0/plain/middleware/gzip.py

@@ -1,64 +0,0 @@
-from plain.utils.cache import patch_vary_headers
-from plain.utils.regex_helper import _lazy_re_compile
-from plain.utils.text import compress_sequence, compress_string
-
-re_accepts_gzip = _lazy_re_compile(r"\bgzip\b")
-
-
-class GZipMiddleware:
-    """
-    Compress content if the browser allows gzip compression.
-    Set the Vary header accordingly, so that caches will base their storage
-    on the Accept-Encoding header.
-    """
-
-    max_random_bytes = 100
-
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        response = self.get_response(request)
-
-        # It's not worth attempting to compress really short responses.
-        if not response.streaming and len(response.content) < 200:
-            return response
-
-        # Avoid gzipping if we've already got a content-encoding.
-        if response.has_header("Content-Encoding"):
-            return response
-
-        patch_vary_headers(response, ("Accept-Encoding",))
-
-        ae = request.META.get("HTTP_ACCEPT_ENCODING", "")
-        if not re_accepts_gzip.search(ae):
-            return response
-
-        if response.streaming:
-            response.streaming_content = compress_sequence(
-                response.streaming_content,
-                max_random_bytes=self.max_random_bytes,
-            )
-            # Delete the `Content-Length` header for streaming content, because
-            # we won't know the compressed size until we stream it.
-            del response.headers["Content-Length"]
-        else:
-            # Return the compressed content only if it's actually shorter.
-            compressed_content = compress_string(
-                response.content,
-                max_random_bytes=self.max_random_bytes,
-            )
-            if len(compressed_content) >= len(response.content):
-                return response
-            response.content = compressed_content
-            response.headers["Content-Length"] = str(len(response.content))
-
-        # If there is a strong ETag, make it weak to fulfill the requirements
-        # of RFC 9110 Section 8.8.1 while also allowing conditional request
-        # matches on ETags.
-        etag = response.get("ETag")
-        if etag and etag.startswith('"'):
-            response.headers["ETag"] = "W/" + etag
-        response.headers["Content-Encoding"] = "gzip"
-
-        return response

plain-0.7.0/plain/middleware/security.py

@@ -1,31 +0,0 @@
-import re
-
-from plain.http import ResponsePermanentRedirect
-from plain.runtime import settings
-
-
-class SecurityMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-        self.redirect = settings.SECURE_SSL_REDIRECT
-        self.redirect_host = settings.SECURE_SSL_HOST
-        self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
-
-        self.default_headers = settings.SECURE_DEFAULT_HEADERS
-
-    def __call__(self, request):
-        path = request.path.lstrip("/")
-        if (
-            self.redirect
-            and not request.is_secure()
-            and not any(pattern.search(path) for pattern in self.redirect_exempt)
-        ):
-            host = self.redirect_host or request.get_host()
-            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")
-
-        response = self.get_response(request)
-
-        for header, value in self.default_headers.items():
-            response.headers.setdefault(header, value)
-
-        return response