From 6f5cca77313e127313ea44c5c213fda3b9027a95 Mon Sep 17 00:00:00 2001
From: Grant Bourque <grant@anedot.com>
Date: Tue, 16 Jan 2018 18:14:06 -0600
Subject: Update default HSTS max-age value to 1 year

- Update the default HSTS max-age value to 31536000 seconds (1 year)
  to meet the minimum max-age requirement for https://hstspreload.org/.
---
 actionpack/CHANGELOG.md                          | 5 +++++
 actionpack/lib/action_dispatch/middleware/ssl.rb | 9 ++++-----
 actionpack/test/dispatch/ssl_test.rb             | 4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index a952eade08..6921f1b45f 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Update the default HSTS max-age value to 31536000 seconds (1 year)
+    to meet the minimum max-age requirement for https://hstspreload.org/.
+
+    *Grant Bourque*
+
 *   Add `Referrer-Policy` header to default headers set.
 
     *Guillermo Iguaran*
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index ef633aadc6..6d9f36ad75 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -26,8 +26,8 @@ module ActionDispatch
   #    Set +config.ssl_options+ with <tt>hsts: { ... }</tt> to configure HSTS:
   #
   #    * +expires+: How long, in seconds, these settings will stick. The minimum
-  #      required to qualify for browser preload lists is 18 weeks. Defaults to
-  #      180 days (recommended).
+  #      required to qualify for browser preload lists is 1 year. Defaults to
+  #      1 year (recommended).
   #
   #    * +subdomains+: Set to +true+ to tell the browser to apply these settings
   #      to all subdomains. This protects your cookies from interception by a
@@ -47,9 +47,8 @@ module ActionDispatch
   class SSL
     # :stopdoc:
 
-    # Default to 180 days, the low end for https://www.ssllabs.com/ssltest/
-    # and greater than the 18-week requirement for browser preload lists.
-    HSTS_EXPIRES_IN = 15552000
+    # Default to 1 year, the minimum for browser preload lists.
+    HSTS_EXPIRES_IN = 31536000
 
     def self.default_hsts_options
       { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
index 8ac9502af9..90f2ee46ea 100644
--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -98,8 +98,8 @@ class RedirectSSLTest < SSLTest
 end
 
 class StrictTransportSecurityTest < SSLTest
-  EXPECTED = "max-age=15552000"
-  EXPECTED_WITH_SUBDOMAINS = "max-age=15552000; includeSubDomains"
+  EXPECTED = "max-age=31536000"
+  EXPECTED_WITH_SUBDOMAINS = "max-age=31536000; includeSubDomains"
 
   def assert_hsts(expected, url: "https://example.org", hsts: { subdomains: true }, headers: {})
     self.app = build_app ssl_options: { hsts: hsts }, headers: headers
-- 
cgit v1.2.3