Make config.force_ssl less dangerous to try and easier to disable#21520
Make config.force_ssl less dangerous to try and easier to disable#21520jeremy merged 1 commit intorails:masterfrom
config.force_ssl less dangerous to try and easier to disable#21520Conversation
There was a problem hiding this comment.
Is not need to require the core_ext to get this working?
There was a problem hiding this comment.
Replaced with integer number of seconds 👍
|
Awesome! |
There was a problem hiding this comment.
I don't see @hsts being used anywhere else than in this scope. Would it make sense to just have it as a local variable?
|
Yeah, this is great ᕦ( ͡° ͜ʖ ͡°)ᕤ |
There was a problem hiding this comment.
https://tools.ietf.org/html/rfc6797#section-7.2:
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
There was a problem hiding this comment.
Doh! Totally misinterpreted that.
There was a problem hiding this comment.
Updated to do the redirect before applying headers again.
jeremy
force-pushed
the
friendlier-force-ssl
branch
from
f0604fc to
f41b32b
Compare
|
👍 |
|
This is really great work, wish I could get in on this but it looks very well factored thus far. You guys amaze me on a daily basis. Thanks so much! |
SSL redirect:
* Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
* Introduce `:status` and `:body` to customize the redirect response.
The 301 permanent default makes it difficult to test the redirect and
back out of it since browsers remember the 301. Test with a 302 or 307
instead, then switch to 301 once you're confident that all is well.
HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,
the low end for https://www.ssllabs.com/ssltest/ grading and greater
than the 18-week minimum to qualify for browser preload lists.
* Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }`
instead of omitting the header. Omitting does nothing to disable HSTS
since browsers hang on to your previous settings until they expire.
Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
actually disables HSTS:
http://tools.ietf.org/html/rfc6797#section-6.1.1
* HSTS Preload. Introduce `preload: true` to set the `preload` flag,
indicating that your site may be included in browser preload lists,
including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
https://hstspreload.appspot.com
jeremy
force-pushed
the
friendlier-force-ssl
branch
from
f41b32b to
f674922
Compare
|
Updated to allow the app to provide its own |
|
LGTM |
Make `config.force_ssl` less dangerous to try and easier to disable
6 participants
SSL redirect:
:hostand:portoptions withinredirect: { … }. Deprecate.:statusand:bodyto customize the redirect response.The 301 permanent default makes it difficult to test the redirect and
back out of it since browsers remember the 301. Test with a 302 or 307
instead, then switch to 301 once you're confident that all is well.
HTTP Strict Transport Security (HSTS):
Security. Include the header on http:// responses also. We immediatelyredirect http:// requests to https://, but the header needs to be set
on the initial response, not just the https:// destination.
18 weeks180 days,the minimum to qualify for inclusion in browser preload lists.
hsts: falsenow setshsts: { expires: 0 }instead of omitting the header. Omitting does nothing to disable HSTS
since browsers hang on to your previous settings until they expire.
Sending
hsts: { expires: 0 }flushes out old browser settings andactually disables HSTS:
http://tools.ietf.org/html/rfc6797#section-6.1.1
preload: trueto set thepreloadflag,indicating that your site may be included in browser preload lists,
including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
https://hstspreload.appspot.com