2 files changed, 28 insertions, 8 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 823cefe957..b2383385c5 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -40,7 +40,7 @@ module ActionDispatch
     HSTS_EXPIRES_IN = 15552000
 
     def self.default_hsts_options
-      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
+      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
     end
 
     def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
@@ -57,6 +57,17 @@ module ActionDispatch
       end
 
       @secure_cookies = secure_cookies
+
+      if hsts != true && hsts != false && hsts[:subdomains].nil?
+        hsts[:subdomains] = false
+
+        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
+          In Rails 5.1, HSTS support for subdomains will be turned on by default.
+          Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out
+          of this behavior.
+        end_warning
+      end
+
       @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
     end
 
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
index c66a0e6a7a..18ff894b31 100644
--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -7,7 +7,7 @@ class SSLTest < ActionDispatch::IntegrationTest
 
   def build_app(headers: {}, ssl_options: {})
     headers = HEADERS.merge(headers)
-    ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options
+    ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options.reverse_merge(hsts: { subdomains: true })
   end
 end
 
@@ -98,15 +98,16 @@ end
 
 class StrictTransportSecurityTest < SSLTest
   EXPECTED = 'max-age=15552000'
+  EXPECTED_WITH_SUBDOMAINS = 'max-age=15552000; includeSubDomains'
 
-  def assert_hsts(expected, url: 'https://example.org', hsts: {}, headers: {})
+  def assert_hsts(expected, url: 'https://example.org', hsts: { subdomains: true }, headers: {})
     self.app = build_app ssl_options: { hsts: hsts }, headers: headers
     get url
     assert_equal expected, response.headers['Strict-Transport-Security']
   end
 
   test 'enabled by default' do
-    assert_hsts EXPECTED
+    assert_hsts EXPECTED_WITH_SUBDOMAINS
   end
 
   test 'not sent with http:// responses' do
@@ -126,11 +127,15 @@ class StrictTransportSecurityTest < SSLTest
   end
 
   test ':expires sets max-age' do
-    assert_hsts 'max-age=500', hsts: { expires: 500 }
+    assert_deprecated do
+      assert_hsts 'max-age=500', hsts: { expires: 500 }
+    end
   end
 
   test ':expires supports AS::Duration arguments' do
-    assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
+    assert_deprecated do
+      assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
+    end
   end
 
   test 'include subdomains' do
@@ -142,11 +147,15 @@ class StrictTransportSecurityTest < SSLTest
   end
 
   test 'opt in to browser preload lists' do
-    assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
+    assert_deprecated do
+      assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
+    end
   end
 
   test 'opt out of browser preload lists' do
-    assert_hsts EXPECTED, hsts: { preload: false }
+    assert_deprecated do
+      assert_hsts EXPECTED, hsts: { preload: false }
+    end
   end
 end