diff options
| author | Egor Homakov <homakov@gmail.com> | 2015-12-18 16:19:49 +0300 |
|---|---|---|
| committer | Prathamesh Sonpatki <csonpatki@gmail.com> | 2016-02-25 09:08:44 +0530 |
| commit | 6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b (patch) | |
| tree | 04a9c1823562c424d2216473fc530d99ac63b127 | |
| parent | 50e4433b051829350984f0c5eb1271243f6d229d (diff) | |
| download | rails-6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b.tar.gz rails-6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b.tar.bz2 rails-6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b.zip | |
HSTS without IncludeSubdomains is often useless
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.
That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.
Yes, many developers forget to add subdomains=true by default, believe me :)
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/ssl.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index 735b5939dd..823cefe957 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -40,7 +40,7 @@ module ActionDispatch HSTS_EXPIRES_IN = 15552000 def self.default_hsts_options - { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false } + { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false } end def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options) |