Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

A simple Rack middleware to enforce ssl connections

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 test
Octocat-spinner-32 .gitignore
Octocat-spinner-32 Gemfile
Octocat-spinner-32 Gemfile.lock
Octocat-spinner-32 Guardfile
Octocat-spinner-32 LICENSE
Octocat-spinner-32 README.rdoc
Octocat-spinner-32 Rakefile
Octocat-spinner-32 rack-ssl-enforcer.gemspec
README.rdoc

Rack::SslEnforcer

Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections. As of Version 0.2.0, Rack::SslEnforcer marks Cookies as secure and enables HSTS by default.

Installation

gem install rack-ssl-enforcer

Usage

require 'rack/ssl-enforcer'
use Rack::SslEnforcer

Or, if you are using Bundler, just add this to your Gemfile:

gem 'rack-ssl-enforcer', :require => 'rack/ssl-enforcer'

To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (config/application.rb for Rails3, config/environment.rb for Rails2):

config.middleware.use Rack::SslEnforcer

This will redirect all requests to SSL. Rack::SslEnforcer accepts params:

You might need the :redirect_to option if the requested URL can't be determined (e.g. if using a proxy).

config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'

You can also define specific regex patterns or paths to redirect.

config.middleware.use Rack::SslEnforcer, :only => /^\/admin\//
config.middleware.use Rack::SslEnforcer, :only => "/login"
config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/]

or define specific regex patterns or paths as exceptions.

config.middleware.use Rack::SslEnforcer, :except => /^\/admin\//
config.middleware.use Rack::SslEnforcer, :except => "/login"
config.middleware.use Rack::SslEnforcer, :except => ["/login", /\.xml$/]

And force http for non-https path

config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true

To set HSTS expiry and subdomain inclusion (defaults: one year, true)

config.middleware.use Rack::SslEnforcer, :hsts => {:expires => 500, :subdomains => false}

TODO

  • Add configuration option to specify local http / https ports

  • Cleanup tests

Contributors

Credits

Flagging cookies as secure functionality and HSTS support is greatly inspired by Joshua Peek’s Rack::SSL

Note on Patches/Pull Requests

  • Fork the project.

  • Make your feature addition or bug fix.

  • Add tests for it. This is important so I don't break it in a future version unintentionally.

  • Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)

  • Send me a pull request. Bonus points for topic branches.

Copyright

Copyright © 2010 Tobias Matthies. See LICENSE for details.

Something went wrong with that request. Please try again.