Merge pull request #38345 from kontist/hsts-max-age

Default HSTS max-age directive to 2 years
rails · Feb 8, 2020 · 2a52e04 · 2a52e04
2 parents 44161db + 5dc928e
commit 2a52e04
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -29,7 +29,7 @@ module ActionDispatch
   #
   #    * +expires+: How long, in seconds, these settings will stick. The minimum
   #      required to qualify for browser preload lists is 1 year. Defaults to
-  #      1 year (recommended).
+  #      2 years (recommended).
   #
   #    * +subdomains+: Set to +true+ to tell the browser to apply these settings
   #      to all subdomains. This protects your cookies from interception by a
@@ -49,8 +49,8 @@ module ActionDispatch
   class SSL
     # :stopdoc:
 
-    # Default to 1 year, the minimum for browser preload lists.
-    HSTS_EXPIRES_IN = 31536000
+    # Default to 2 years as recommended on hstspreload.org.
+    HSTS_EXPIRES_IN = 63072000
 
     def self.default_hsts_options
       { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }

diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
@@ -98,8 +98,8 @@ def assert_post_redirected(redirect: {}, from: "http://a/b?c=d",
 end
 
 class StrictTransportSecurityTest < SSLTest
-  EXPECTED = "max-age=31536000"
-  EXPECTED_WITH_SUBDOMAINS = "max-age=31536000; includeSubDomains"
+  EXPECTED = "max-age=63072000"
+  EXPECTED_WITH_SUBDOMAINS = "max-age=63072000; includeSubDomains"
 
   def assert_hsts(expected, url: "https://example.org", hsts: { subdomains: true }, headers: {})
     self.app = build_app ssl_options: { hsts: hsts }, headers: headers