New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable HSTS with IncludeSubdomains header by default for new apps #23852

Merged
merged 6 commits into from Feb 26, 2016

Conversation

Projects
None yet
3 participants
@prathamesh-sonpatki
Member

prathamesh-sonpatki commented Feb 24, 2016

Fixes #22663

@rafaelfranca

View changes

Show outdated Hide outdated ...ls/generators/rails/app/templates/config/initializers/hsts_subdomains.rb
@prathamesh-sonpatki

View changes

Show outdated Hide outdated ...ls/generators/rails/app/templates/config/initializers/hsts_subdomains.rb
@prathamesh-sonpatki

View changes

Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/ssl.rb

homakov and others added some commits Dec 18, 2015

HSTS without IncludeSubdomains is often useless
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.

That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. 

Yes, many developers forget to add subdomains=true by default, believe me :)
New applications will be generated with ssl_options to enable HSTS wi…
…th subdomains

- We will reuse config.ssl_options for setting the HSTS settings.
Old applications will not get the ssl_options initializer
- We will remove the initializer for old apps which are migrated to
  Rails 5 so that they are not affected by this breaking change.
Added deprecation for older apps
- For old apps which are not setting any value for hsts[:subdomains],
  a deprecation warning will be shown saying that hsts[:subdomains] will
  be turned on by default in Rails 5.1. Currently it will be set to
  false for backward compatibility.
- Adjusted tests to reflect this change.

@prathamesh-sonpatki prathamesh-sonpatki changed the title from [WIP] Enable HSTS with IncludeSubdomains by default for new apps to Enable HSTS with IncludeSubdomains header by default for new apps Feb 25, 2016

@prathamesh-sonpatki

This comment has been minimized.

Show comment
Hide comment
@prathamesh-sonpatki
Member

prathamesh-sonpatki commented Feb 25, 2016

r? @rafaelfranca Please review.

rafaelfranca added a commit that referenced this pull request Feb 26, 2016

Merge pull request #23852 from prathamesh-sonpatki/hsts-subdomains
Enable HSTS with IncludeSubdomains header by default for new apps

@rafaelfranca rafaelfranca merged commit 0e24fcc into rails:master Feb 26, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@prathamesh-sonpatki prathamesh-sonpatki deleted the prathamesh-sonpatki:hsts-subdomains branch Feb 26, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment