diff options
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/ssl.rb | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index b2383385c5..d6a0fe650c 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -23,7 +23,7 @@ module ActionDispatch # preload lists is `18.weeks`. # * `subdomains`: Set to `true` to tell the browser to apply these settings # to all subdomains. This protects your cookies from interception by a - # vulnerable site on a subdomain. Defaults to `false`. + # vulnerable site on a subdomain. Defaults to `true`. # * `preload`: Advertise that this site may be included in browsers' # preloaded HSTS lists. HSTS protects your site on every visit *except the # first visit* since it hasn't seen your HSTS header yet. To close this @@ -62,8 +62,8 @@ module ActionDispatch hsts[:subdomains] = false ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc - In Rails 5.1, HSTS support for subdomains will be turned on by default. - Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out + In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if + unspecified. Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out of this behavior. end_warning end |