aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/ssl.rb
Commit message (Collapse)AuthorAgeFilesLines
* Make `config.force_ssl` less dangerous to try and easier to disableJeremy Daer2015-09-071-36/+92
| | | | | | | | | | | | | | | | | | | | | | | | SSL redirect: * Move `:host` and `:port` options within `redirect: { … }`. Deprecate. * Introduce `:status` and `:body` to customize the redirect response. The 301 permanent default makes it difficult to test the redirect and back out of it since browsers remember the 301. Test with a 302 or 307 instead, then switch to 301 once you're confident that all is well. HTTP Strict Transport Security (HSTS): * Shorter max-age. Shorten the default max-age from 1 year to 180 days, the low end for https://www.ssllabs.com/ssltest/ grading and greater than the 18-week minimum to qualify for browser preload lists. * Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }` instead of omitting the header. Omitting does nothing to disable HSTS since browsers hang on to your previous settings until they expire. Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and actually disables HSTS: http://tools.ietf.org/html/rfc6797#section-6.1.1 * HSTS Preload. Introduce `preload: true` to set the `preload` flag, indicating that your site may be included in browser preload lists, including Chrome, Firefox, Safari, IE11, and Edge. Submit your site: https://hstspreload.appspot.com
* ActionDispatch::SSL should keep original header's behaviorFumiaki MATSUSHIMA2015-06-141-1/+1
| | | | | | `ActionDispatch::SSL` changes headers to `Hash`. So some headers will be broken if there are some middlewares on ActionDispatch::SSL and if it uses `Rack::Utils::HeaderHash`.
* Avoid URI parsingAndriel Nuernberg2014-04-091-5/+8
| | | | | This parsing is unecessary once the Request object already has the needed information.
* Space is not required for Set-Cookie headerYamagishi Kazutoshi2013-07-051-1/+1
|
* Merge pull request #11069 from ykzts/actiondispatch-ssl-secure-flag-igonore-caseGuillermo Iguaran2013-06-241-1/+1
|\ | | | | Flag cookies as secure with ignore case in ActionDispatch::SSL
| * Flag cookies as secure with ignore case in ActionDispatch::SSLYamagishi Kazutoshi2013-06-241-1/+1
| |
* | ActionDispatch:SSL: don't include STS header in non-https responsesGeoff Buesing2013-06-231-2/+1
|/
* Allow use of durations for ActionDispatch::SSL configurationAndrew White2013-01-041-1/+1
|
* Fix secure cookies when there are more than one space before the secureRafael Mendonça França2012-03-191-1/+1
| | | | keyword
* Remove exclude option from ActionDispatch::SSLRafael Mendonça França2012-03-191-7/+0
|
* Some refactoring and update ActionDispatch::SSL code to use the Rack 1.4.xRafael Mendonça França2012-03-171-23/+13
|
* Rack::SSL -> ActionDispatch::SSLRafael Mendonça França2012-03-171-0/+87