Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
...
Checking mergeability… Don't worry, you can still create the pull request.
  • 20 commits
  • 4 files changed
  • 0 commit comments
  • 7 contributors
Commits on Jan 29, 2013
@rkh use status 307 for anything but GET or HEAD f6afd3e
@josh josh Merge pull request #21 from rkh/redirect-307
use status 307 for anything but GET or HEAD
08390f8
@josh josh Rack::SSL 1.3.3 aa6adf1
Commits on Feb 06, 2013
@jordimassaguerpla jordimassaguerpla add license information to gemspec
this way we can use it with rubygems.org API
eda9f80
Commits on Jun 24, 2013
@gbuesing gbuesing As per spec, don't include STS header in non-https responses be02ce9
Commits on Jul 09, 2013
@xaviershay xaviershay Handle bad URIs gracefully.
Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
the resulting exception. This creates an attack vector for XSS attacks.
9d7d730
Commits on Aug 24, 2013
@karmi karmi Added more installation/usage instructions into the README fe29471
Commits on Mar 13, 2014
@chopmo chopmo Return 400 instead of 404 in case of InvalidURIError 7445c16
Commits on Mar 14, 2014
@josh josh Merge pull request #23 from jordimassaguerpla/master
add license information to the gemspec
dce9e54
@josh josh Merge pull request #27 from gbuesing/hstsfix
As per spec, don't include STS header in non-https responses
5a90a79
@chopmo chopmo Include Content-Type in 400 response
To stay compatible with old Rack versions.
94041c3
@chopmo chopmo Update test 404 -> 400 2d5181d
Commits on Mar 17, 2014
@josh josh Merge pull request #31 from gomore/master
Handle bad URIs gracefully
d99a9b4
@josh josh Merge pull request #29 from karmi/patch-1
Added more installation/usage instructions into the README
4ad10c5
@josh josh Rack::SSL 1.4.0 e2deff3
Commits on Mar 21, 2014
@josh josh Skip URI parsing Request#url
URI may fail to parse some legit URL paths
9ff3adf
Commits on Mar 23, 2014
@josh josh Merge pull request #34 from josh/skip-uri-validation
Skip URI parsing Request#url
e6c545b
@josh josh Rack::SSL 1.3.4 2ae3942
@josh josh Merge branch '1.3.x'
Conflicts:
	lib/rack/ssl.rb
	rack-ssl.gemspec
ecf25ae
@josh josh Rack::SSL 1.4.1 0baafb1
View
8 README.md
@@ -7,7 +7,15 @@ Force SSL/TLS in your app.
2. Set `Strict-Transport-Security` header
3. Flag all cookies as "secure"
+
+Installation
+------------
+
+ gem install rack-ssl
+
+
Usage
-----
+ require 'rack/ssl'
use Rack::SSL
View
15 lib/rack/ssl.rb
@@ -46,14 +46,15 @@ def scheme(env)
end
def redirect_to_https(env)
- req = Request.new(env)
- url = URI(req.url)
- url.scheme = "https"
- url.host = @host if @host
- headers = hsts_headers.merge('Content-Type' => 'text/html',
- 'Location' => url.to_s)
+ req = Request.new(env)
- [301, headers, []]
+ host = @host || req.host
+ location = "https://#{host}#{req.fullpath}"
+
+ status = %w[GET HEAD].include?(req.request_method) ? 301 : 307
+ headers = { 'Content-Type' => 'text/html', 'Location' => location }
+
+ [status, headers, []]
end
# http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
View
5 rack-ssl.gemspec
@@ -1,10 +1,11 @@
Gem::Specification.new do |s|
s.name = 'rack-ssl'
- s.version = '1.3.2'
- s.date = '2011-03-24'
+ s.version = '1.4.1'
+ s.date = '2014-03-23'
s.homepage = "https://github.com/josh/rack-ssl"
s.summary = "Force SSL/TLS in your app."
+ s.license = "MIT"
s.description = <<-EOS
Rack middleware to force SSL/TLS.
EOS
View
47 test/test_ssl.rb
@@ -48,6 +48,11 @@ def test_hsts_header_by_default
last_response.headers['Strict-Transport-Security']
end
+ def test_no_hsts_with_insecure_connection
+ get "http://example.org/"
+ assert !last_response.headers['Strict-Transport-Security']
+ end
+
def test_hsts_header
self.app = Rack::SSL.new(default_app, :hsts => true)
get "https://example.org/"
@@ -124,6 +129,13 @@ def test_redirect_to_host
last_response.headers['Location']
end
+ def test_redirect_to_host_port
+ self.app = Rack::SSL.new(default_app, :host => "ssl.example.org:443")
+ get "http://example.org/path?key=value"
+ assert_equal "https://ssl.example.org:443/path?key=value",
+ last_response.headers['Location']
+ end
+
def test_redirect_to_secure_host_when_on_subdomain
self.app = Rack::SSL.new(default_app, :host => "ssl.example.org")
get "http://ssl.example.org/path?key=value"
@@ -137,4 +149,39 @@ def test_redirect_to_secure_subdomain_when_on_deep_subdomain
assert_equal "https://example.co.uk/path?key=value",
last_response.headers['Location']
end
+
+ def test_status_get
+ get "http://example.org/"
+ assert_equal 301, last_response.status
+ end
+
+ def test_status_head
+ head "http://example.org/"
+ assert_equal 301, last_response.status
+ end
+
+ def test_status_options
+ options "http://example.org/"
+ assert_equal 307, last_response.status
+ end
+
+ def test_status_post
+ post "http://example.org/"
+ assert_equal 307, last_response.status
+ end
+
+ def test_status_put
+ put "http://example.org/"
+ assert_equal 307, last_response.status
+ end
+
+ def test_status_delete
+ delete "http://example.org/"
+ assert_equal 307, last_response.status
+ end
+
+ def test_status_patch
+ patch "http://example.org/"
+ assert_equal 307, last_response.status
+ end
end

No commit comments for this range

Something went wrong with that request. Please try again.