Make `config.force_ssl` less dangerous to try and easier to disable #21520

Merged
merged 1 commit into from Sep 8, 2015

Conversation

Projects
None yet
6 participants
@jeremy
Member

jeremy commented Sep 7, 2015

SSL redirect:

  • Move :host and :port options within redirect: { … }. Deprecate.
  • Introduce :status and :body to customize the redirect response.
    The 301 permanent default makes it difficult to test the redirect and
    back out of it since browsers remember the 301. Test with a 302 or 307
    instead, then switch to 301 once you're confident that all is well.

HTTP Strict Transport Security (HSTS):

  • Security. Include the header on http:// responses also. We immediately
    redirect http:// requests to https://, but the header needs to be set
    on the initial response, not just the https:// destination.
  • Shorter max-age. Shorten the default max-age from 1 year to 18 weeks180 days,
    the minimum to qualify for inclusion in browser preload lists.
  • Disabling HSTS. Setting hsts: false now sets hsts: { expires: 0 }
    instead of omitting the header. Omitting does nothing to disable HSTS
    since browsers hang on to your previous settings until they expire.
    Sending hsts: { expires: 0 } flushes out old browser settings and
    actually disables HSTS:
    http://tools.ietf.org/html/rfc6797#section-6.1.1
  • HSTS Preload. Introduce preload: true to set the preload flag,
    indicating that your site may be included in browser preload lists,
    including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
    https://hstspreload.appspot.com
class SSL
- YEAR = 31536000
+ # Default to the minimum expiry needed to qualify for browser preload.
+ HSTS_EXPIRES_IN = 18.weeks

This comment has been minimized.

@rafaelfranca

rafaelfranca Sep 7, 2015

Member

Is not need to require the core_ext to get this working?

@rafaelfranca

rafaelfranca Sep 7, 2015

Member

Is not need to require the core_ext to get this working?

This comment has been minimized.

@jeremy

jeremy Sep 7, 2015

Member

Replaced with integer number of seconds 👍

@jeremy

jeremy Sep 7, 2015

Member

Replaced with integer number of seconds 👍

@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca

rafaelfranca Sep 7, 2015

Member

Awesome! :shipit:

Member

rafaelfranca commented Sep 7, 2015

Awesome! :shipit:

- @host = options[:host]
- @port = options[:port]
+ @app = RedirectInsecureRequests.new(app, **redirect)
+ @hsts = normalize_hsts_options(hsts)

This comment has been minimized.

@kaspth

kaspth Sep 7, 2015

Member

I don't see @hsts being used anywhere else than in this scope. Would it make sense to just have it as a local variable?

@kaspth

kaspth Sep 7, 2015

Member

I don't see @hsts being used anywhere else than in this scope. Would it make sense to just have it as a local variable?

This comment has been minimized.

@jeremy

jeremy Sep 7, 2015

Member

Yes! 👍

@jeremy

jeremy Sep 7, 2015

Member

Yes! 👍

@kaspth

This comment has been minimized.

Show comment
Hide comment
@kaspth

kaspth Sep 7, 2015

Member

Yeah, this is great ᕦ( ͡° ͜ʖ ͡°)ᕤ

Member

kaspth commented Sep 7, 2015

Yeah, this is great ᕦ( ͡° ͜ʖ ͡°)ᕤ

actionpack/CHANGELOG.md
+ HTTP Strict Transport Security (HSTS):
+ * Security. Include the header on http:// responses also. We immediately
+ redirect http:// requests to https://, but the header needs to be set
+ on the initial response, not just the https:// destination.

This comment has been minimized.

@matthewd

matthewd Sep 7, 2015

Member

https://tools.ietf.org/html/rfc6797#section-7.2:

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

@matthewd

matthewd Sep 7, 2015

Member

https://tools.ietf.org/html/rfc6797#section-7.2:

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

This comment has been minimized.

@jeremy

jeremy Sep 7, 2015

Member

Doh! Totally misinterpreted that.

@jeremy

jeremy Sep 7, 2015

Member

Doh! Totally misinterpreted that.

This comment has been minimized.

@jeremy

jeremy Sep 8, 2015

Member

Updated to do the redirect before applying headers again.

@jeremy

jeremy Sep 8, 2015

Member

Updated to do the redirect before applying headers again.

actionpack/CHANGELOG.md
+ redirect http:// requests to https://, but the header needs to be set
+ on the initial response, not just the https:// destination.
+ * Shorter max-age. Shorten the default max-age from 1 year to 18 weeks,
+ the minimum to qualify for inclusion in browser preload lists.

This comment has been minimized.

@matthewd

matthewd Sep 7, 2015

Member

18 weeks is still a long time... if we have a separate preload: true option, would it make sense to go for a much shorter "trial" value here, when that's false?

@matthewd

matthewd Sep 7, 2015

Member

18 weeks is still a long time... if we have a separate preload: true option, would it make sense to go for a much shorter "trial" value here, when that's false?

This comment has been minimized.

@jeremy

jeremy Sep 7, 2015

Member

Since hsts: false now sends expires: 0, we're OK to safely use longish max-age. I considered using 180 days since that's the low end for https://www.ssllabs.com/ssltest/

@jeremy

jeremy Sep 7, 2015

Member

Since hsts: false now sends expires: 0, we're OK to safely use longish max-age. I considered using 180 days since that's the low end for https://www.ssllabs.com/ssltest/

This comment has been minimized.

@jeremy

jeremy Sep 8, 2015

Member

Went ahead with 180 days, may as well help people get A+ grades by default 😁

@jeremy

jeremy Sep 8, 2015

Member

Went ahead with 180 days, may as well help people get A+ grades by default 😁

@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
Member

rafaelfranca commented Sep 8, 2015

👍

@nynhex

This comment has been minimized.

Show comment
Hide comment
@nynhex

nynhex Sep 8, 2015

This is really great work, wish I could get in on this but it looks very well factored thus far. You guys amaze me on a daily basis. Thanks so much!

nynhex commented Sep 8, 2015

This is really great work, wish I could get in on this but it looks very well factored thus far. You guys amaze me on a daily basis. Thanks so much!

Make `config.force_ssl` less dangerous to try and easier to disable
SSL redirect:
* Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
* Introduce `:status` and `:body` to customize the redirect response.
  The 301 permanent default makes it difficult to test the redirect and
  back out of it since browsers remember the 301. Test with a 302 or 307
  instead, then switch to 301 once you're confident that all is well.

HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,
  the low end for https://www.ssllabs.com/ssltest/ grading and greater
  than the 18-week minimum to qualify for browser preload lists.
* Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }`
  instead of omitting the header. Omitting does nothing to disable HSTS
  since browsers hang on to your previous settings until they expire.
  Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
  actually disables HSTS:
    http://tools.ietf.org/html/rfc6797#section-6.1.1
* HSTS Preload. Introduce `preload: true` to set the `preload` flag,
  indicating that your site may be included in browser preload lists,
  including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
    https://hstspreload.appspot.com
@jeremy

This comment has been minimized.

Show comment
Hide comment
@jeremy

jeremy Sep 8, 2015

Member

Updated to allow the app to provide its own Strict-Transport-Security header.

Member

jeremy commented Sep 8, 2015

Updated to allow the app to provide its own Strict-Transport-Security header.

@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
Member

rafaelfranca commented Sep 8, 2015

LGTM

jeremy added a commit that referenced this pull request Sep 8, 2015

Merge pull request #21520 from jeremy/friendlier-force-ssl
Make `config.force_ssl` less dangerous to try and easier to disable

@jeremy jeremy merged commit a11571c into rails:master Sep 8, 2015

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details

@jeremy jeremy deleted the jeremy:friendlier-force-ssl branch Sep 8, 2015

+ #
+ # Configure HSTS with `hsts: { … }`:
+ # * `expires`: How long, in seconds, these settings will stick. Defaults to
+ # `18.weeks`, the minimum required to qualify for browser preload lists.

This comment has been minimized.

@reedloden

reedloden Sep 19, 2015

180.days now

This comment has been minimized.

@kaspth

kaspth Sep 19, 2015

Member

Already fixed on master: 7c47160 😁

@kaspth

kaspth Sep 19, 2015

Member

Already fixed on master: 7c47160 😁

This comment has been minimized.

@reedloden

reedloden Sep 19, 2015

Ah, missed that. Awesome.

@reedloden

reedloden Sep 19, 2015

Ah, missed that. Awesome.

+ instead, then switch to 301 once you're confident that all is well.
+
+ HTTP Strict Transport Security (HSTS):
+ * Shorter max-age. Shorten the default max-age from 1 year to 180 days,

This comment has been minimized.

@reedloden

reedloden Sep 19, 2015

Is there an explanation for why this was lowered?

@reedloden

reedloden Sep 19, 2015

Is there an explanation for why this was lowered?

This comment has been minimized.

@kaspth

kaspth Sep 19, 2015

Member

Yes. The rest of the sentence (sorry to be glip) 😁

@kaspth

kaspth Sep 19, 2015

Member

Yes. The rest of the sentence (sorry to be glip) 😁

This comment has been minimized.

@reedloden

reedloden Sep 19, 2015

That doesn't answer the question... 1 year was perfectly fine, so why lower it?

@reedloden

reedloden Sep 19, 2015

That doesn't answer the question... 1 year was perfectly fine, so why lower it?

This comment has been minimized.

@kaspth

kaspth Sep 19, 2015

Member

I think the nugget is in here: #21520 (comment) - but I don't know how to elaborate.

@kaspth

kaspth Sep 19, 2015

Member

I think the nugget is in here: #21520 (comment) - but I don't know how to elaborate.

This comment has been minimized.

@jeremy

jeremy Sep 19, 2015

Member

One year was fine, but it was arbitrary, and we offered no way to back out of the choice. To reset expectations and improve new-user experience with a dangerous-feeling feature like this, I looked for community guidance. Browser preload qualification starts at 18-week max-age; SSL Labs' recommends 180+ days. That's where most people look to improve their grade, and it's a sensible starting point.

@jeremy

jeremy Sep 19, 2015

Member

One year was fine, but it was arbitrary, and we offered no way to back out of the choice. To reset expectations and improve new-user experience with a dangerous-feeling feature like this, I looked for community guidance. Browser preload qualification starts at 18-week max-age; SSL Labs' recommends 180+ days. That's where most people look to improve their grade, and it's a sensible starting point.

@connorshea connorshea referenced this pull request in noidedmedia/ImageHex Oct 19, 2015

Open

Rails 5.0 Tracking Issue #261

0 of 4 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment