ActionDispatch:SSL: don't include STS header in non-https responses #11065

Merged
merged 1 commit into from Jun 24, 2013

Conversation

Projects
None yet
3 participants
Contributor

gbuesing commented Jun 24, 2013

Reason: the STS spec explicitly says:

"An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport."

http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-7.2

Owner

guilleiguaran commented Jun 24, 2013

Looks fine for me but I'll wait for the review from someone of rails security team before of merge

Member

NZKoz commented Jun 24, 2013

As far as security goes this does seem to be harmless, there's nothing sensitive in the HSTS headers so we're not leaking any information we shouldn't.

Might be interesting getting an explanation from an HSTS expert, or someone who trawls through the list archives for an explanation, but for now I think it can be safely applied.

guilleiguaran added a commit that referenced this pull request Jun 24, 2013

Merge pull request #11065 from gbuesing/hstsfix
ActionDispatch:SSL: don't include STS header in non-https responses

@guilleiguaran guilleiguaran merged commit a6dd2ed into rails:master Jun 24, 2013

1 check passed

default The Travis CI build passed
Details
Owner

guilleiguaran commented Jun 24, 2013

@NZKoz thanks 👍

guilleiguaran added a commit that referenced this pull request Jul 15, 2013

Merge pull request #11065 from gbuesing/hstsfix
ActionDispatch:SSL: don't include STS header in non-https responses

rafaelfranca added a commit that referenced this pull request Sep 12, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment