Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
Checking mergeability… Don't worry, you can still create the pull request.
  • 5 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
Showing with 20 additions and 1 deletion.
  1. +16 −0
  2. +4 −1 lib/rack/ssl.rb
@@ -1,6 +1,21 @@
+This branch enhances Rack::SSL to enforce redirects to a subdomain if disallow_no_subdomain is set.
+As an example, in the environments/production.rb file, you'd probably have the following set for Rack:SSL
+ config.middleware.insert_before ActionDispatch::Cookies, Rack::SSL,:port=>443,:host=>''
+Assuming your host is
+If a user types in (and for certain browsers that ignore protocol AND subdomain redirects),
+they will still be able to access the site. This will be an issue if you've setup cookies to be subdomain specific
+To ensure users are not able to use 'no subdomain based url', use the option disallow_no_subdomain ie:
+ config.middleware.insert_before ActionDispatch::Cookies, Rack::SSL,:port=>443,:host=>'',:disallow_no_subdomain=>true
Force SSL/TLS in your app.
1. Redirects all "http" requests to "https"
@@ -11,3 +26,4 @@ Usage
use Rack::SSL
5 lib/rack/ssl.rb
@@ -19,12 +19,15 @@ def initialize(app, options = {})
@exclude = options[:exclude]
@host = options[:host]
@port = options[:port]
+ @disallow_no_subdomain= options[:disallow_no_subdomain] && @host.scan('.').count>=2 #only set disallow of no subdomains if explicitly set as well as provided in the host name!
def call(env)
if @exclude &&
elsif scheme(env) == 'https'
+ return redirect_to_https(env) if @disallow_no_subdomain && env["SERVER_NAME"].scan('.').count<2 #redirect to a www subdomain if no domain is given
status, headers, body =
headers = hsts_headers.merge(headers)
@@ -50,7 +53,7 @@ def redirect_to_https(env)
req =
url = URI(req.url)
url.scheme = "https"
- = @host if @host
+ = @host if @host && env["SERVER_NAME"].scan('.').count<2 #!@disallow_no_subdomain #lets not set a host if either its not set in the config OR a subdomain was provided and allowed
url.port = @port if @port
headers = hsts_headers.merge('Content-Type' => 'text/html',
'Location' => url.to_s)

No commit comments for this range

Something went wrong with that request. Please try again.