-
Notifications
You must be signed in to change notification settings - Fork 21.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable HSTS with IncludeSubdomains header by default for new apps #23852
Enable HSTS with IncludeSubdomains header by default for new apps #23852
Conversation
@@ -0,0 +1 @@ | |||
Rails.application.config.action_dispatch.hsts_subdomains = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of a new option can we set Rails.application.config.action_dispatch.ssl_options = { subdomains: true }
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rafaelfranca That will mess up with existing ssl_options present in config/environments/production.rb
right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any existent in production.rb? I could not find it in the repository. If that is the case we can try to use merge
with the already existent value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah okey config.ssl_options
is different that config.action_dispatch.ssl_options
.
But you meant reusing config.ssl_options
right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. config.ssl_options
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rafaelfranca We can do
Rails.application.config.ssl_options.merge!({ hsts: { subdomains: true } })
But that can mess up with setting the default hsts options here - https://github.com/prathamesh-sonpatki/rails/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L82.
Note that we are passing options only in case of https://github.com/prathamesh-sonpatki/rails/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L92.
options are config.ssl_options[:hsts]
So if we want to reuse config.ssl_options then we will have to update each branch in https://github.com/prathamesh-sonpatki/rails/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L82 to pass options[:subdomains].
It will override user's config.ssl_options[:hsts] though as we will have a default hash instead of true/false/nil/custom options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't get that is the problem. If we merged { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
with { subdomain: true }
would not the result be { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
?
>> default = { expires: 1, subdomains: false, preload: false }
=> {:expires=>1, :subdomains=>false, :preload=>false}
>> default.merge(subdomains: true)
=> {:expires=>1, :subdomains=>true, :preload=>false}
bcbafe1
to
bdb3719
Compare
@@ -0,0 +1 @@ | |||
Rails.application.config.ssl_options.reverse_merge!({ hsts: { subdomains: true } }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rafaelfranca Made the change as per our discussion. This will make sure that we don't mess up with user's config.ssl_options[:hsts]
. It can be false or true or whatever, it will still remain that value after this initializer will get run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can just set the ssl_option directly, not need to merge. This line will be generated only in new applications, so there is no ssl_options
set anywhere. For existent applications we will let the deprecation warning handle it.
We will need to update the config_when_updating
method in the generators to not generate this file.
Also it should be named ssl_options.rb
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)
…th subdomains - We will reuse config.ssl_options for setting the HSTS settings.
- We will remove the initializer for old apps which are migrated to Rails 5 so that they are not affected by this breaking change.
- For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change.
bdb3719
to
31cf0f5
Compare
r? @rafaelfranca Please review. |
Enable HSTS with IncludeSubdomains header by default for new apps
Fixes #22663