diff options
| author | Guillermo Iguaran <guilleiguaran@gmail.com> | 2018-02-24 18:20:21 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-24 18:20:21 -0500 |
| commit | efd3338b193da5ae5f0d42c4ad792d65e744428c (patch) | |
| tree | 24218760676af6b8227bc5f266443f5799ada8ed /actionpack | |
| parent | c113bdc9d0c2cffd535ca97aff85c4bdc46b11f6 (diff) | |
| parent | 697dd48b5e5787126a91ce10739f8af31d1ffd1d (diff) | |
| download | rails-efd3338b193da5ae5f0d42c4ad792d65e744428c.tar.gz rails-efd3338b193da5ae5f0d42c4ad792d65e744428c.tar.bz2 rails-efd3338b193da5ae5f0d42c4ad792d65e744428c.zip | |
Merge pull request #31720 from grantbdev/update_default_hsts_max_age
Update default HSTS max-age value to 1 year
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/ssl.rb | 9 | ||||
| -rw-r--r-- | actionpack/test/dispatch/ssl_test.rb | 4 |
2 files changed, 6 insertions, 7 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index ef633aadc6..6d9f36ad75 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -26,8 +26,8 @@ module ActionDispatch # Set +config.ssl_options+ with <tt>hsts: { ... }</tt> to configure HSTS: # # * +expires+: How long, in seconds, these settings will stick. The minimum - # required to qualify for browser preload lists is 18 weeks. Defaults to - # 180 days (recommended). + # required to qualify for browser preload lists is 1 year. Defaults to + # 1 year (recommended). # # * +subdomains+: Set to +true+ to tell the browser to apply these settings # to all subdomains. This protects your cookies from interception by a @@ -47,9 +47,8 @@ module ActionDispatch class SSL # :stopdoc: - # Default to 180 days, the low end for https://www.ssllabs.com/ssltest/ - # and greater than the 18-week requirement for browser preload lists. - HSTS_EXPIRES_IN = 15552000 + # Default to 1 year, the minimum for browser preload lists. + HSTS_EXPIRES_IN = 31536000 def self.default_hsts_options { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false } diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb index 8ac9502af9..90f2ee46ea 100644 --- a/actionpack/test/dispatch/ssl_test.rb +++ b/actionpack/test/dispatch/ssl_test.rb @@ -98,8 +98,8 @@ class RedirectSSLTest < SSLTest end class StrictTransportSecurityTest < SSLTest - EXPECTED = "max-age=15552000" - EXPECTED_WITH_SUBDOMAINS = "max-age=15552000; includeSubDomains" + EXPECTED = "max-age=31536000" + EXPECTED_WITH_SUBDOMAINS = "max-age=31536000; includeSubDomains" def assert_hsts(expected, url: "https://example.org", hsts: { subdomains: true }, headers: {}) self.app = build_app ssl_options: { hsts: hsts }, headers: headers |