Web applications often transfer sensitive data between client and server. Even a session id is not something that should be vulnerable to eavesdropping. It is therefore a very good idea to encrypt all communication and implement a HTTPS server.
Subclassing HTTPServer
Python's ssl module has been cleaned up quite a bit since version 3.x and with a little help from this recipe it was incredibly simple to adapt the HTTPServer class from the http.server module to accept only secure connections:
import ssl import socket from socketserver import BaseServer from http.server import HTTPServer class HTTPSServer(HTTPServer): def __init__(self,address,handler): BaseServer.__init__(self,address,handler) self.socket = ssl.SSLSocket( sock=socket.socket(self.address_family,self.socket_type), ssl_version=ssl.PROTOCOL_TLSv1, certfile='test.pem', server_side=True) self.server_bind() self.server_activate()
All we do basically is change the initialization code to create a secure socket instead of a regular one (in line 10). The things to watch out for is the ssl_version: older versions are considered unsafe so we use TLS 1.0 here. Also the certificate file we use here contains both our certificate and our private key. If you want to use a self signed certificate for testing purposes you could generate one with openssl (most UNIX-like operating systems offer binary packages, for a precompiled package for windows check the faq.)
openssl req -new -x509 -keyout test.pem -out test.pem -days 365 -nodes
Note that your browser will still complain about this certificate because it is self signed.