Permalink
Browse files

Add HSTS header

  • Loading branch information...
1 parent 7ff8100 commit 3543fccc60d35df940282ef9bcd3306f8ceab27e @josh committed Nov 4, 2010
Showing with 14 additions and 2 deletions.
  1. +9 −2 lib/rack/ssl.rb
  2. +5 −0 test/test_ssl.rb
View
@@ -9,7 +9,9 @@ def initialize(app)
def call(env)
if scheme(env) == 'https'
- @app.call(env)
+ status, headers, body = @app.call(env)
+ headers = hsts_headers.merge(headers)
+ [status, headers, body]
else
redirect_to_https(env)
end
@@ -30,7 +32,12 @@ def scheme(env)
def redirect_to_https(env)
req = Request.new(env)
location = req.url.sub(/^http:/, 'https:')
- [301, {'Content-Type' => "text/html", 'Location' => location}, []]
+ [301, hsts_headers.merge({'Content-Type' => "text/html", 'Location' => location}), []]
+ end
+
+ # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
+ def hsts_headers
+ { 'Strict-Transport-Security' => "max-age=16070400; includeSubDomains" }
end
end
end
View
@@ -30,4 +30,9 @@ def test_redirects_http_to_https
assert last_response.redirect?
assert_equal "https://example.org/path?key=value", last_response.headers['Location']
end
+
+ def test_strict_transport_security_header
+ get "https://example.org/path?key=value"
+ assert_equal "max-age=16070400; includeSubDomains", last_response.headers['Strict-Transport-Security']
+ end
end

0 comments on commit 3543fcc

Please sign in to comment.