aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/ssl.rb
Commit message (Collapse)AuthorAgeFilesLines
* Return 307 status instead of 301 when rerouting POST requests to SSLChirag Singhal2016-08-221-1/+9
| | | | | | | | | | | When `config.force_ssl` is set to `true`, any POST/PUT/DELETE requests coming in to non-secure url are being redirected with a 301 status. However, when that happens, the request is converted to a GET request and ends up hitting a different action on the controller. Since we can not do non-GET redirects, we can instead redirect with a 307 status code instead to indicate to the caller that a fresh request should be tried preserving the original request method. `rack-ssl` gem which was used to achieve this before we had this middleware directly baked into Rails also used to do the same, ref: https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L54 This would be specially important for any apps switching from older version of Rails or apps which expose an API through Rails.
* applies new string literal convention in actionpack/libXavier Noria2016-08-061-5/+5
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* [ci skip] Correct defaults in documentation for ActionDispatch::SSLTim Rogers2016-07-061-4/+5
| | | | `config.ssl_options` permits configuring various options for the middleware. Default options for HSTS (specified with the `:hsts` key in the options hash) are specified in `.default_hsts_options`. The documentation did not make clear these defaults, and in one case was wrong.
* [ci skip] Fix constrain_to documentation.Kasper Timm Hansen2016-03-031-1/+1
| | | | | Forgot to update the documentation on the line just above the one I was changing in 4933132. Well done, Kasper :+1:
* Rename constrain_to to exclude.Kasper Timm Hansen2016-03-031-3/+4
| | | | | | | | | `ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some. The `constrain_to` option inverts this, so it sounds like the middleware only handles a few requests, rather than the majority with a few routes to opt out of the redirect. Renaming to `exclude` matches this intent more closely.
* add `constraint_to` option to SSL middlewareGreg Molnar2016-02-281-2/+6
|
* :nail_care:Rafael Mendonça França2016-02-251-2/+2
|
* Update documentation and deprecation messagePrathamesh Sonpatki2016-02-251-3/+3
|
* Added deprecation for older appsPrathamesh Sonpatki2016-02-251-1/+12
| | | | | | | | - For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change.
* HSTS without IncludeSubdomains is often uselessEgor Homakov2016-02-251-1/+1
| | | | | | | | 1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)
* Flexible configuration for ActionDispatch::SSLTim Rogers2015-12-291-8/+12
|
* Improve RDoc documentation of ActionDispatch::SSLTim Rogers2015-12-241-12/+14
|
* Fix HSTS default expire in ActionDispatch::SSL docs.Pedro Nascimento2015-09-141-1/+2
|
* Make `config.force_ssl` less dangerous to try and easier to disableJeremy Daer2015-09-071-36/+92
| | | | | | | | | | | | | | | | | | | | | | | | SSL redirect: * Move `:host` and `:port` options within `redirect: { … }`. Deprecate. * Introduce `:status` and `:body` to customize the redirect response. The 301 permanent default makes it difficult to test the redirect and back out of it since browsers remember the 301. Test with a 302 or 307 instead, then switch to 301 once you're confident that all is well. HTTP Strict Transport Security (HSTS): * Shorter max-age. Shorten the default max-age from 1 year to 180 days, the low end for https://www.ssllabs.com/ssltest/ grading and greater than the 18-week minimum to qualify for browser preload lists. * Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }` instead of omitting the header. Omitting does nothing to disable HSTS since browsers hang on to your previous settings until they expire. Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and actually disables HSTS: http://tools.ietf.org/html/rfc6797#section-6.1.1 * HSTS Preload. Introduce `preload: true` to set the `preload` flag, indicating that your site may be included in browser preload lists, including Chrome, Firefox, Safari, IE11, and Edge. Submit your site: https://hstspreload.appspot.com
* ActionDispatch::SSL should keep original header's behaviorFumiaki MATSUSHIMA2015-06-141-1/+1
| | | | | | `ActionDispatch::SSL` changes headers to `Hash`. So some headers will be broken if there are some middlewares on ActionDispatch::SSL and if it uses `Rack::Utils::HeaderHash`.
* Avoid URI parsingAndriel Nuernberg2014-04-091-5/+8
| | | | | This parsing is unecessary once the Request object already has the needed information.
* Space is not required for Set-Cookie headerYamagishi Kazutoshi2013-07-051-1/+1
|
* Merge pull request #11069 from ykzts/actiondispatch-ssl-secure-flag-igonore-caseGuillermo Iguaran2013-06-241-1/+1
|\ | | | | Flag cookies as secure with ignore case in ActionDispatch::SSL
| * Flag cookies as secure with ignore case in ActionDispatch::SSLYamagishi Kazutoshi2013-06-241-1/+1
| |
* | ActionDispatch:SSL: don't include STS header in non-https responsesGeoff Buesing2013-06-231-2/+1
|/
* Allow use of durations for ActionDispatch::SSL configurationAndrew White2013-01-041-1/+1
|
* Fix secure cookies when there are more than one space before the secureRafael Mendonça França2012-03-191-1/+1
| | | | keyword
* Remove exclude option from ActionDispatch::SSLRafael Mendonça França2012-03-191-7/+0
|
* Some refactoring and update ActionDispatch::SSL code to use the Rack 1.4.xRafael Mendonça França2012-03-171-23/+13
|
* Rack::SSL -> ActionDispatch::SSLRafael Mendonça França2012-03-171-0/+87