class ActionDispatch::SSL

def self.default_hsts_options

def self.default_hsts_options
  { :expires => YEAR, :subdomains => false }
end

def call(env)

def call(env)
  request = Request.new(env)
  if request.ssl?
    status, headers, body = @app.call(env)
    headers = hsts_headers.merge(headers)
    flag_cookies_as_secure!(headers)
    [status, headers, body]
  else
    redirect_to_https(request)
  end
end

def flag_cookies_as_secure!(headers)

def flag_cookies_as_secure!(headers)
  if cookies = headers['Set-Cookie']
    cookies = cookies.split("\n")
    headers['Set-Cookie'] = cookies.map { |cookie|
      if cookie !~ /;\s*secure\s*(;|$)/i
        "#{cookie}; secure"
      else
        cookie
      end
    }.join("\n")
  end
end

def hsts_headers

http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02

def hsts_headers
  if @hsts
    value = "max-age=#{@hsts[:expires].to_i}"
    value += "; includeSubDomains" if @hsts[:subdomains]
    { 'Strict-Transport-Security' => value }
  else
    {}
  end
end

def initialize(app, options = {})

def initialize(app, options = {})
  @app = app
  @hsts = options.fetch(:hsts, {})
  @hsts = {} if @hsts == true
  @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
  @host    = options[:host]
  @port    = options[:port]
end

def redirect_to_https(request)

def redirect_to_https(request)
  host = @host || request.host
  port = @port || request.port
  location = "https://#{host}"
  location << ":#{port}" if port != 80
  location << request.fullpath
  headers = { 'Content-Type' => 'text/html', 'Location' => location }
  [301, headers, []]
end

Namespace

ActionDispatch

Class Methods

:: default_hsts_options

Instance Methods

Defined in

lib/action_dispatch/middleware/ssl.rb

Modules

Classes

class ActionDispatch::SSL

def self.default_hsts_options

def call(env)

def flag_cookies_as_secure!(headers)

def hsts_headers

def initialize(app, options = {})

def redirect_to_https(request)

Namespace

Class Methods

Instance Methods

Defined in