aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/dispatch/mapper_test.rb
diff options
context:
space:
mode:
authorEgor Homakov <homakov@gmail.com>2015-12-18 16:19:49 +0300
committerPrathamesh Sonpatki <csonpatki@gmail.com>2016-02-25 09:08:44 +0530
commit6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b (patch)
tree04a9c1823562c424d2216473fc530d99ac63b127 /actionpack/test/dispatch/mapper_test.rb
parent50e4433b051829350984f0c5eb1271243f6d229d (diff)
downloadrails-6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b.tar.gz
rails-6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b.tar.bz2
rails-6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b.zip
HSTS without IncludeSubdomains is often useless
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)
Diffstat (limited to 'actionpack/test/dispatch/mapper_test.rb')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-15 16:04:58 +0000