Enable HSTS with IncludeSubdomains header by default for new apps#23852
Conversation
There was a problem hiding this comment.
Instead of a new option can we set Rails.application.config.action_dispatch.ssl_options = { subdomains: true }?
There was a problem hiding this comment.
@rafaelfranca That will mess up with existing ssl_options present in config/environments/production.rb right?
There was a problem hiding this comment.
Is there any existent in production.rb? I could not find it in the repository. If that is the case we can try to use merge with the already existent value.
There was a problem hiding this comment.
Ah okey config.ssl_options is different that config.action_dispatch.ssl_options.
But you meant reusing config.ssl_options right?
There was a problem hiding this comment.
@rafaelfranca We can do
Rails.application.config.ssl_options.merge!({ hsts: { subdomains: true } })But that can mess up with setting the default hsts options here - https://github.com/prathamesh-sonpatki/rails/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L82.
Note that we are passing options only in case of https://github.com/prathamesh-sonpatki/rails/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L92.
options are config.ssl_options[:hsts]
So if we want to reuse config.ssl_options then we will have to update each branch in https://github.com/prathamesh-sonpatki/rails/blob/master/actionpack/lib/action_dispatch/middleware/ssl.rb#L82 to pass options[:subdomains].
It will override user's config.ssl_options[:hsts] though as we will have a default hash instead of true/false/nil/custom options.
There was a problem hiding this comment.
I don't get that is the problem. If we merged { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false } with { subdomain: true } would not the result be { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }?
>> default = { expires: 1, subdomains: false, preload: false }
=> {:expires=>1, :subdomains=>false, :preload=>false}
>> default.merge(subdomains: true)
=> {:expires=>1, :subdomains=>true, :preload=>false}
prathamesh-sonpatki
force-pushed
the
hsts-subdomains
branch
from
bcbafe1 to
bdb3719
Compare
There was a problem hiding this comment.
@rafaelfranca Made the change as per our discussion. This will make sure that we don't mess up with user's config.ssl_options[:hsts]. It can be false or true or whatever, it will still remain that value after this initializer will get run.
There was a problem hiding this comment.
We can just set the ssl_option directly, not need to merge. This line will be generated only in new applications, so there is no ssl_options set anywhere. For existent applications we will let the deprecation warning handle it.
We will need to update the config_when_updating method in the generators to not generate this file.
Also it should be named ssl_options.rb
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)
…th subdomains - We will reuse config.ssl_options for setting the HSTS settings.
- We will remove the initializer for old apps which are migrated to Rails 5 so that they are not affected by this breaking change.
- For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change.
prathamesh-sonpatki
force-pushed
the
hsts-subdomains
branch
from
bdb3719 to
31cf0f5
Compare
prathamesh-sonpatki
changed the title
|
r? @rafaelfranca Please review. |
Enable HSTS with IncludeSubdomains header by default for new apps
3 participants
Fixes #22663