diff options
| author | Jeremy Daer <jeremydaer@gmail.com> | 2015-09-06 19:24:00 -0700 |
|---|---|---|
| committer | Jeremy Daer <jeremydaer@gmail.com> | 2015-09-07 17:57:20 -0700 |
| commit | f674922462a15b6498e915fc0669550258410c02 (patch) | |
| tree | 7e11de7e74cf649e06ed08a418dceb69c82ee6b7 /activesupport | |
| parent | f1f0a3f8d99aef8aacfa81ceac3880dcac03ca06 (diff) | |
| download | rails-f674922462a15b6498e915fc0669550258410c02.tar.gz rails-f674922462a15b6498e915fc0669550258410c02.tar.bz2 rails-f674922462a15b6498e915fc0669550258410c02.zip | |
Make `config.force_ssl` less dangerous to try and easier to disable
SSL redirect:
* Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
* Introduce `:status` and `:body` to customize the redirect response.
The 301 permanent default makes it difficult to test the redirect and
back out of it since browsers remember the 301. Test with a 302 or 307
instead, then switch to 301 once you're confident that all is well.
HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,
the low end for https://www.ssllabs.com/ssltest/ grading and greater
than the 18-week minimum to qualify for browser preload lists.
* Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }`
instead of omitting the header. Omitting does nothing to disable HSTS
since browsers hang on to your previous settings until they expire.
Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
actually disables HSTS:
http://tools.ietf.org/html/rfc6797#section-6.1.1
* HSTS Preload. Introduce `preload: true` to set the `preload` flag,
indicating that your site may be included in browser preload lists,
including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
https://hstspreload.appspot.com
Diffstat (limited to 'activesupport')
0 files changed, 0 insertions, 0 deletions