Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Make `config.force_ssl` less dangerous to try and easier to disable | Jeremy Daer | 2015-09-07 | 1 | -36/+92 |
| | | | | | | | | | | | | | | | | | | | | | | | | SSL redirect: * Move `:host` and `:port` options within `redirect: { … }`. Deprecate. * Introduce `:status` and `:body` to customize the redirect response. The 301 permanent default makes it difficult to test the redirect and back out of it since browsers remember the 301. Test with a 302 or 307 instead, then switch to 301 once you're confident that all is well. HTTP Strict Transport Security (HSTS): * Shorter max-age. Shorten the default max-age from 1 year to 180 days, the low end for https://www.ssllabs.com/ssltest/ grading and greater than the 18-week minimum to qualify for browser preload lists. * Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }` instead of omitting the header. Omitting does nothing to disable HSTS since browsers hang on to your previous settings until they expire. Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and actually disables HSTS: http://tools.ietf.org/html/rfc6797#section-6.1.1 * HSTS Preload. Introduce `preload: true` to set the `preload` flag, indicating that your site may be included in browser preload lists, including Chrome, Firefox, Safari, IE11, and Edge. Submit your site: https://hstspreload.appspot.com | ||||
* | ActionDispatch::SSL should keep original header's behavior | Fumiaki MATSUSHIMA | 2015-06-14 | 1 | -1/+1 |
| | | | | | | `ActionDispatch::SSL` changes headers to `Hash`. So some headers will be broken if there are some middlewares on ActionDispatch::SSL and if it uses `Rack::Utils::HeaderHash`. | ||||
* | Avoid URI parsing | Andriel Nuernberg | 2014-04-09 | 1 | -5/+8 |
| | | | | | This parsing is unecessary once the Request object already has the needed information. | ||||
* | Space is not required for Set-Cookie header | Yamagishi Kazutoshi | 2013-07-05 | 1 | -1/+1 |
| | |||||
* | Merge pull request #11069 from ykzts/actiondispatch-ssl-secure-flag-igonore-case | Guillermo Iguaran | 2013-06-24 | 1 | -1/+1 |
|\ | | | | | Flag cookies as secure with ignore case in ActionDispatch::SSL | ||||
| * | Flag cookies as secure with ignore case in ActionDispatch::SSL | Yamagishi Kazutoshi | 2013-06-24 | 1 | -1/+1 |
| | | |||||
* | | ActionDispatch:SSL: don't include STS header in non-https responses | Geoff Buesing | 2013-06-23 | 1 | -2/+1 |
|/ | |||||
* | Allow use of durations for ActionDispatch::SSL configuration | Andrew White | 2013-01-04 | 1 | -1/+1 |
| | |||||
* | Fix secure cookies when there are more than one space before the secure | Rafael Mendonça França | 2012-03-19 | 1 | -1/+1 |
| | | | | keyword | ||||
* | Remove exclude option from ActionDispatch::SSL | Rafael Mendonça França | 2012-03-19 | 1 | -7/+0 |
| | |||||
* | Some refactoring and update ActionDispatch::SSL code to use the Rack 1.4.x | Rafael Mendonça França | 2012-03-17 | 1 | -23/+13 |
| | |||||
* | Rack::SSL -> ActionDispatch::SSL | Rafael Mendonça França | 2012-03-17 | 1 | -0/+87 |