aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/dispatch/ssl_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Remove splat operator warning from ssl_testPrathamesh Sonpatki2016-01-071-1/+1
| | | | | | - Removes following warning - `rails/actionpack/test/dispatch/ssl_test.rb:203: warning: `*' interpreted as argument prefix`.
* Flexible configuration for ActionDispatch::SSLTim Rogers2015-12-291-15/+30
|
* Make `config.force_ssl` less dangerous to try and easier to disableJeremy Daer2015-09-071-164/+133
| | | | | | | | | | | | | | | | | | | | | | | | SSL redirect: * Move `:host` and `:port` options within `redirect: { … }`. Deprecate. * Introduce `:status` and `:body` to customize the redirect response. The 301 permanent default makes it difficult to test the redirect and back out of it since browsers remember the 301. Test with a 302 or 307 instead, then switch to 301 once you're confident that all is well. HTTP Strict Transport Security (HSTS): * Shorter max-age. Shorten the default max-age from 1 year to 180 days, the low end for https://www.ssllabs.com/ssltest/ grading and greater than the 18-week minimum to qualify for browser preload lists. * Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }` instead of omitting the header. Omitting does nothing to disable HSTS since browsers hang on to your previous settings until they expire. Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and actually disables HSTS: http://tools.ietf.org/html/rfc6797#section-6.1.1 * HSTS Preload. Introduce `preload: true` to set the `preload` flag, indicating that your site may be included in browser preload lists, including Chrome, Firefox, Safari, IE11, and Edge. Submit your site: https://hstspreload.appspot.com
* ActionDispatch::SSL should keep original header's behaviorFumiaki MATSUSHIMA2015-06-141-0/+11
| | | | | | `ActionDispatch::SSL` changes headers to `Hash`. So some headers will be broken if there are some middlewares on ActionDispatch::SSL and if it uses `Rack::Utils::HeaderHash`.
* Consistent usage of spaces in hashes across our codebaseRafael Mendonça França2015-01-291-1/+1
|
* Switch to kwargs in ActionController::TestCase and ActionDispatch::IntegrationKir Shatrov2015-01-291-1/+1
| | | | | | | | Non-kwargs requests are deprecated now. Guides are updated as well. `post url, nil, nil, { a: 'b' }` doesn't make sense. `post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
* Avoid URI parsingAndriel Nuernberg2014-04-091-0/+7
| | | | | This parsing is unecessary once the Request object already has the needed information.
* Space is not required for Set-Cookie headerYamagishi Kazutoshi2013-07-051-0/+29
|
* Merge pull request #11069 from ykzts/actiondispatch-ssl-secure-flag-igonore-caseGuillermo Iguaran2013-06-241-0/+14
|\ | | | | Flag cookies as secure with ignore case in ActionDispatch::SSL
| * Flag cookies as secure with ignore case in ActionDispatch::SSLYamagishi Kazutoshi2013-06-241-0/+14
| |
* | ActionDispatch:SSL: don't include STS header in non-https responsesGeoff Buesing2013-06-231-0/+5
|/
* Allow use of durations for ActionDispatch::SSL configurationAndrew White2013-01-041-0/+7
|
* Alias refute methods to assert_not and perfer assert_not on testsRafael Mendonça França2012-12-311-1/+1
|
* Fix secure cookies when there are more than one space before the secureRafael Mendonça França2012-03-191-0/+28
| | | | keyword
* Remove exclude option from ActionDispatch::SSLRafael Mendonça França2012-03-191-6/+0
|
* Some refactoring and update ActionDispatch::SSL code to use the Rack 1.4.xRafael Mendonça França2012-03-171-14/+0
|
* Rack::SSL -> ActionDispatch::SSLRafael Mendonça França2012-03-171-0/+149