Skip to content

Commit

Permalink
Merge pull request #27 from gbuesing/hstsfix
Browse files Browse the repository at this point in the history 
As per spec, don't include STS header in non-https responses
  • Loading branch information
@josh
josh committed Mar 14, 2014
2 parents dce9e54 + be02ce9 commit 5a90a79
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
3 changes: 1 addition & 2 deletions lib/rack/ssl.rb
View file
Expand Up @@ -51,8 +51,7 @@ def redirect_to_https(env)
url.scheme = "https"
url.host = @host if @host
status = %w[GET HEAD].include?(req.request_method) ? 301 : 307
headers = hsts_headers.merge('Content-Type' => 'text/html',
'Location' => url.to_s)
headers = { 'Content-Type' => 'text/html', 'Location' => url.to_s }

[status, headers, []]
end
Expand Down
5 changes: 5 additions & 0 deletions test/test_ssl.rb
View file
Expand Up @@ -48,6 +48,11 @@ def test_hsts_header_by_default
last_response.headers['Strict-Transport-Security']
end

def test_no_hsts_with_insecure_connection
get "http://example.org/"
assert !last_response.headers['Strict-Transport-Security']
end

def test_hsts_header
self.app = Rack::SSL.new(default_app, :hsts => true)
get "https://example.org/"
Expand Down

0 comments on commit 5a90a79

Please sign in to comment.