Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #11065 from gbuesing/hstsfix

ActionDispatch:SSL: don't include STS header in non-https responses
  • Loading branch information...
commit 88d1fa4990f09baf307e0502943ef799ad80e570 1 parent 3ea80ad
@guilleiguaran guilleiguaran authored
View
3  actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -36,8 +36,7 @@ def redirect_to_https(request)
url.scheme = "https"
url.host = @host if @host
url.port = @port if @port
- headers = hsts_headers.merge('Content-Type' => 'text/html',
- 'Location' => url.to_s)
+ headers = { 'Content-Type' => 'text/html', 'Location' => url.to_s }
[301, headers, []]
end
View
5 actionpack/test/dispatch/ssl_test.rb
@@ -37,6 +37,11 @@ def test_hsts_header_by_default
response.headers['Strict-Transport-Security']
end
+ def test_no_hsts_with_insecure_connection
+ get "http://example.org/"
+ assert_not response.headers['Strict-Transport-Security']
+ end
+
def test_hsts_header
self.app = ActionDispatch::SSL.new(default_app, :hsts => true)
get "https://example.org/"
Please sign in to comment.
Something went wrong with that request. Please try again.