aboutsummaryrefslogtreecommitdiffstats
path: root/RELEASING_RAILS.md
diff options
context:
space:
mode:
authorJeremy Daer <jeremydaer@gmail.com>2015-09-06 19:24:00 -0700
committerJeremy Daer <jeremydaer@gmail.com>2015-09-07 17:57:20 -0700
commitf674922462a15b6498e915fc0669550258410c02 (patch)
tree7e11de7e74cf649e06ed08a418dceb69c82ee6b7 /RELEASING_RAILS.md
parentf1f0a3f8d99aef8aacfa81ceac3880dcac03ca06 (diff)
downloadrails-f674922462a15b6498e915fc0669550258410c02.tar.gz
rails-f674922462a15b6498e915fc0669550258410c02.tar.bz2
rails-f674922462a15b6498e915fc0669550258410c02.zip
Make `config.force_ssl` less dangerous to try and easier to disable
SSL redirect: * Move `:host` and `:port` options within `redirect: { … }`. Deprecate. * Introduce `:status` and `:body` to customize the redirect response. The 301 permanent default makes it difficult to test the redirect and back out of it since browsers remember the 301. Test with a 302 or 307 instead, then switch to 301 once you're confident that all is well. HTTP Strict Transport Security (HSTS): * Shorter max-age. Shorten the default max-age from 1 year to 180 days, the low end for https://www.ssllabs.com/ssltest/ grading and greater than the 18-week minimum to qualify for browser preload lists. * Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }` instead of omitting the header. Omitting does nothing to disable HSTS since browsers hang on to your previous settings until they expire. Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and actually disables HSTS: http://tools.ietf.org/html/rfc6797#section-6.1.1 * HSTS Preload. Introduce `preload: true` to set the `preload` flag, indicating that your site may be included in browser preload lists, including Chrome, Firefox, Safari, IE11, and Edge. Submit your site: https://hstspreload.appspot.com
Diffstat (limited to 'RELEASING_RAILS.md')
0 files changed, 0 insertions, 0 deletions