Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
...
Checking mergeability… Don't worry, you can still create the pull request.
  • 5 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
Showing with 20 additions and 1 deletion.
  1. +16 −0 README.md
  2. +4 −1 lib/rack/ssl.rb
View
16 README.md
@@ -1,6 +1,21 @@
Rack::SSL
=========
+This branch enhances Rack::SSL to enforce redirects to a subdomain if disallow_no_subdomain is set.
+As an example, in the environments/production.rb file, you'd probably have the following set for Rack:SSL
+
+ config.middleware.insert_before ActionDispatch::Cookies, Rack::SSL,:port=>443,:host=>'www.7vals.com'
+
+Assuming your host is www.7vals.com
+If a user types in https://7vals.com (and for certain browsers that ignore protocol AND subdomain redirects),
+they will still be able to access the site. This will be an issue if you've setup cookies to be subdomain specific
+
+To ensure users are not able to use 'no subdomain based url', use the option disallow_no_subdomain ie:
+
+ config.middleware.insert_before ActionDispatch::Cookies, Rack::SSL,:port=>443,:host=>'www.7vals.com',:disallow_no_subdomain=>true
+
+
+
Force SSL/TLS in your app.
1. Redirects all "http" requests to "https"
@@ -11,3 +26,4 @@ Usage
-----
use Rack::SSL
+
View
5 lib/rack/ssl.rb
@@ -19,12 +19,15 @@ def initialize(app, options = {})
@exclude = options[:exclude]
@host = options[:host]
@port = options[:port]
+ @disallow_no_subdomain= options[:disallow_no_subdomain] && @host.scan('.').count>=2 #only set disallow of no subdomains if explicitly set as well as provided in the host name!
end
def call(env)
if @exclude && @exclude.call(env)
@app.call(env)
elsif scheme(env) == 'https'
+ return redirect_to_https(env) if @disallow_no_subdomain && env["SERVER_NAME"].scan('.').count<2 #redirect to a www subdomain if no domain is given
+
status, headers, body = @app.call(env)
headers = hsts_headers.merge(headers)
flag_cookies_as_secure!(headers)
@@ -50,7 +53,7 @@ def redirect_to_https(env)
req = Request.new(env)
url = URI(req.url)
url.scheme = "https"
- url.host = @host if @host
+ url.host = @host if @host && env["SERVER_NAME"].scan('.').count<2 #!@disallow_no_subdomain #lets not set a host if either its not set in the config OR a subdomain was provided and allowed
url.port = @port if @port
headers = hsts_headers.merge('Content-Type' => 'text/html',
'Location' => url.to_s)

No commit comments for this range

Something went wrong with that request. Please try again.