Edit me on GitHub

pylons.decorators.secure – Secure Decorators

Security related decorators

Module Contents


Decorator for authenticating a form

This decorator uses an authorization token stored in the client’s session for prevention of certain Cross-site request forgery (CSRF) attacks (See http://en.wikipedia.org/wiki/Cross-site_request_forgery for more information).

For use with the webhelpers.html.secure_form helper functions.


Decorator to redirect to the SSL version of a page if not currently using HTTPS. Apply this decorator to controller methods (actions).

Takes a url argument: either a string url, or a callable returning a string url. The callable will be called with no arguments when the decorated method is called. The url’s scheme will be rewritten to https if necessary.

Non-HTTPS POST requests are aborted (405 response code) by this decorator.


# redirect to HTTPS /pylons
def index(self):

# redirect to HTTPS /auth/login, delaying the url() call until
# later (as the url object may not be functional when the
# decorator/method are defined)
@https(lambda: url(controller='auth', action='login'))
def login(self):

# redirect to HTTPS version of myself
def get(self):

Table Of Contents

Previous topic

pylons.decorators.rest – REST-ful Decorators

Next topic

pylons.error – Error handling support