Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make `config.force_ssl` less dangerous to try and easier to disable #21520

Merged
merged 1 commit into from Sep 8, 2015

Conversation

@jeremy
Copy link
Member

jeremy commented Sep 7, 2015

SSL redirect:

  • Move :host and :port options within redirect: { … }. Deprecate.
  • Introduce :status and :body to customize the redirect response.
    The 301 permanent default makes it difficult to test the redirect and
    back out of it since browsers remember the 301. Test with a 302 or 307
    instead, then switch to 301 once you're confident that all is well.

HTTP Strict Transport Security (HSTS):

  • Security. Include the header on http:// responses also. We immediately
    redirect http:// requests to https://, but the header needs to be set
    on the initial response, not just the https:// destination.
  • Shorter max-age. Shorten the default max-age from 1 year to 18 weeks180 days,
    the minimum to qualify for inclusion in browser preload lists.
  • Disabling HSTS. Setting hsts: false now sets hsts: { expires: 0 }
    instead of omitting the header. Omitting does nothing to disable HSTS
    since browsers hang on to your previous settings until they expire.
    Sending hsts: { expires: 0 } flushes out old browser settings and
    actually disables HSTS:
    http://tools.ietf.org/html/rfc6797#section-6.1.1
  • HSTS Preload. Introduce preload: true to set the preload flag,
    indicating that your site may be included in browser preload lists,
    including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
    https://hstspreload.appspot.com
class SSL
YEAR = 31536000
# Default to the minimum expiry needed to qualify for browser preload.
HSTS_EXPIRES_IN = 18.weeks

This comment has been minimized.

Copy link
@rafaelfranca

rafaelfranca Sep 7, 2015

Member

Is not need to require the core_ext to get this working?

This comment has been minimized.

Copy link
@jeremy

jeremy Sep 7, 2015

Author Member

Replaced with integer number of seconds 👍

@rafaelfranca
Copy link
Member

rafaelfranca commented Sep 7, 2015

Awesome! :shipit:

@host = options[:host]
@port = options[:port]
@app = RedirectInsecureRequests.new(app, **redirect)
@hsts = normalize_hsts_options(hsts)

This comment has been minimized.

Copy link
@kaspth

kaspth Sep 7, 2015

Member

I don't see @hsts being used anywhere else than in this scope. Would it make sense to just have it as a local variable?

This comment has been minimized.

Copy link
@jeremy

jeremy Sep 7, 2015

Author Member

Yes! 👍

@kaspth
Copy link
Member

kaspth commented Sep 7, 2015

Yeah, this is great ᕦ( ͡° ͜ʖ ͡°)ᕤ

HTTP Strict Transport Security (HSTS):
* Security. Include the header on http:// responses also. We immediately
redirect http:// requests to https://, but the header needs to be set
on the initial response, not just the https:// destination.

This comment has been minimized.

Copy link
@matthewd

matthewd Sep 7, 2015

Member

https://tools.ietf.org/html/rfc6797#section-7.2:

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

This comment has been minimized.

Copy link
@jeremy

jeremy Sep 7, 2015

Author Member

Doh! Totally misinterpreted that.

This comment has been minimized.

Copy link
@jeremy

jeremy Sep 8, 2015

Author Member

Updated to do the redirect before applying headers again.

redirect http:// requests to https://, but the header needs to be set
on the initial response, not just the https:// destination.
* Shorter max-age. Shorten the default max-age from 1 year to 18 weeks,
the minimum to qualify for inclusion in browser preload lists.

This comment has been minimized.

Copy link
@matthewd

matthewd Sep 7, 2015

Member

18 weeks is still a long time... if we have a separate preload: true option, would it make sense to go for a much shorter "trial" value here, when that's false?

This comment has been minimized.

Copy link
@jeremy

jeremy Sep 7, 2015

Author Member

Since hsts: false now sends expires: 0, we're OK to safely use longish max-age. I considered using 180 days since that's the low end for https://www.ssllabs.com/ssltest/

This comment has been minimized.

Copy link
@jeremy

jeremy Sep 8, 2015

Author Member

Went ahead with 180 days, may as well help people get A+ grades by default 😁

@jeremy jeremy force-pushed the jeremy:friendlier-force-ssl branch from f0604fc Sep 8, 2015
@rafaelfranca
Copy link
Member

rafaelfranca commented Sep 8, 2015

👍

@nynhex
Copy link

nynhex commented Sep 8, 2015

This is really great work, wish I could get in on this but it looks very well factored thus far. You guys amaze me on a daily basis. Thanks so much!

SSL redirect:
* Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
* Introduce `:status` and `:body` to customize the redirect response.
  The 301 permanent default makes it difficult to test the redirect and
  back out of it since browsers remember the 301. Test with a 302 or 307
  instead, then switch to 301 once you're confident that all is well.

HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,
  the low end for https://www.ssllabs.com/ssltest/ grading and greater
  than the 18-week minimum to qualify for browser preload lists.
* Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }`
  instead of omitting the header. Omitting does nothing to disable HSTS
  since browsers hang on to your previous settings until they expire.
  Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
  actually disables HSTS:
    http://tools.ietf.org/html/rfc6797#section-6.1.1
* HSTS Preload. Introduce `preload: true` to set the `preload` flag,
  indicating that your site may be included in browser preload lists,
  including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
    https://hstspreload.appspot.com
@jeremy jeremy force-pushed the jeremy:friendlier-force-ssl branch to f674922 Sep 8, 2015
@jeremy
Copy link
Member Author

jeremy commented Sep 8, 2015

Updated to allow the app to provide its own Strict-Transport-Security header.

@rafaelfranca
Copy link
Member

rafaelfranca commented Sep 8, 2015

LGTM

jeremy added a commit that referenced this pull request Sep 8, 2015
Make `config.force_ssl` less dangerous to try and easier to disable
@jeremy jeremy merged commit a11571c into rails:master Sep 8, 2015
1 check was pending
1 check was pending
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
@jeremy jeremy deleted the jeremy:friendlier-force-ssl branch Sep 8, 2015
#
# Configure HSTS with `hsts: { … }`:
# * `expires`: How long, in seconds, these settings will stick. Defaults to
# `18.weeks`, the minimum required to qualify for browser preload lists.

This comment has been minimized.

Copy link
@reedloden

This comment has been minimized.

Copy link
@kaspth

kaspth Sep 19, 2015

Member

Already fixed on master: 7c47160 😁

This comment has been minimized.

Copy link
@reedloden

reedloden Sep 19, 2015

Ah, missed that. Awesome.

instead, then switch to 301 once you're confident that all is well.

HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,

This comment has been minimized.

Copy link
@reedloden

reedloden Sep 19, 2015

Is there an explanation for why this was lowered?

This comment has been minimized.

Copy link
@kaspth

kaspth Sep 19, 2015

Member

Yes. The rest of the sentence (sorry to be glip) 😁

This comment has been minimized.

Copy link
@reedloden

reedloden Sep 19, 2015

That doesn't answer the question... 1 year was perfectly fine, so why lower it?

This comment has been minimized.

Copy link
@kaspth

kaspth Sep 19, 2015

Member

I think the nugget is in here: #21520 (comment) - but I don't know how to elaborate.

This comment has been minimized.

Copy link
@jeremy

jeremy Sep 19, 2015

Author Member

One year was fine, but it was arbitrary, and we offered no way to back out of the choice. To reset expectations and improve new-user experience with a dangerous-feeling feature like this, I looked for community guidance. Browser preload qualification starts at 18-week max-age; SSL Labs' recommends 180+ days. That's where most people look to improve their grade, and it's a sensible starting point.

@connorshea connorshea mentioned this pull request Oct 19, 2015
0 of 4 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.