Add HSTS header

bkeepers · Nov 4, 2010 · 3543fcc · 3543fcc
1 parent 7ff8100
commit 3543fcc
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/lib/rack/ssl.rb b/lib/rack/ssl.rb
@@ -9,7 +9,9 @@ def initialize(app)
 
     def call(env)
       if scheme(env) == 'https'
-        @app.call(env)
+        status, headers, body = @app.call(env)
+        headers = hsts_headers.merge(headers)
+        [status, headers, body]
       else
         redirect_to_https(env)
       end
@@ -30,7 +32,12 @@ def scheme(env)
       def redirect_to_https(env)
         req      = Request.new(env)
         location = req.url.sub(/^http:/, 'https:')
-        [301, {'Content-Type' => "text/html", 'Location' => location}, []]
+        [301, hsts_headers.merge({'Content-Type' => "text/html", 'Location' => location}), []]
+      end
+
+      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
+      def hsts_headers
+        { 'Strict-Transport-Security' => "max-age=16070400; includeSubDomains" }
       end
   end
 end
diff --git a/test/test_ssl.rb b/test/test_ssl.rb
@@ -30,4 +30,9 @@ def test_redirects_http_to_https
     assert last_response.redirect?
     assert_equal "https://example.org/path?key=value", last_response.headers['Location']
   end
+
+  def test_strict_transport_security_header
+    get "https://example.org/path?key=value"
+    assert_equal "max-age=16070400; includeSubDomains", last_response.headers['Strict-Transport-Security']
+  end
 end