From d8bf1f22ded16e37b3f18b942c8ae49ea79e3d79 Mon Sep 17 00:00:00 2001 From: Geoff Buesing Date: Sun, 23 Jun 2013 19:58:02 -0500 Subject: ActionDispatch:SSL: don't include STS header in non-https responses --- actionpack/test/dispatch/ssl_test.rb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'actionpack/test') diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb index a9bea7ea73..881a8474e1 100644 --- a/actionpack/test/dispatch/ssl_test.rb +++ b/actionpack/test/dispatch/ssl_test.rb @@ -37,6 +37,11 @@ class SSLTest < ActionDispatch::IntegrationTest response.headers['Strict-Transport-Security'] end + def test_no_hsts_with_insecure_connection + get "http://example.org/" + assert_not response.headers['Strict-Transport-Security'] + end + def test_hsts_header self.app = ActionDispatch::SSL.new(default_app, :hsts => true) get "https://example.org/" -- cgit v1.2.3