class ActionDispatch::SSL

config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
Requests can opt-out of redirection with ‘exclude`:
`hsts: { expires: 0 }`.
expire HSTS immediately. Setting `hsts: false` is a shortcut for
original HSTS directive until it expires. Instead, use the header to tell browsers to
To turn off HSTS, omitting the header is not enough. Browsers will remember the
Defaults to `false`.
Go to hstspreload.appspot.com to submit your site for inclusion.
gap, browser vendors include a baked-in list of HSTS-enabled sites.
first visit* since it hasn’t seen your HSTS header yet. To close this
preloaded HSTS lists. HSTS protects your site on every visit *except the
* ‘preload`: Advertise that this site may be included in browsers’
vulnerable site on a subdomain. Defaults to ‘false`.
to all subdomains. This protects your cookies from interception by a
* `subdomains`: Set to `true` to tell the browser to apply these settings
`180.days` (recommended).
required to qualify for browser preload lists is `18.weeks`. Defaults to
* `expires`: How long, in seconds, these settings will stick. The minimum
Set `config.ssl_options` with `hsts: { … }` to configure HSTS:
Enabled by default. Configure `config.ssl_options` with `hsts: false` to disable.
this site as TLS-only and automatically redirect non-TLS requests.
3. HTTP Strict Transport Security (HSTS): Tells the browser to remember
`config.ssl_options` with `secure_cookies: false` to disable this feature.
mustn’t be sent along with http:// requests. Enabled by default. Set
2. Secure cookies: Sets the ‘secure` flag on cookies to tell browsers they
`redirect: false` to disable this feature.
(e.g. `redirect: { host: “secure.widgets.com”, port: 8080 }`), or set
to modify the destination URL
with the same URL host, path, etc. Enabled by default. Set `config.ssl_options`
1. TLS redirect: Permanently redirects http:// requests to https://
requests:
the options set in `config.ssl_options`. It does three jobs to enforce secure HTTP
This middleware is added to the stack when `config.force_ssl = true`, and is passed

def self.default_hsts_options 

def self.default_hsts_options
  { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
end

def build_hsts_header(hsts)

http://tools.ietf.org/html/rfc6797#section-6.1 
def build_hsts_header(hsts)
  value = "max-age=#{hsts[:expires].to_i}"
  value << "; includeSubDomains" if hsts[:subdomains]
  value << "; preload" if hsts[:preload]
  value
end

def call(env) 

def call(env)
  request = Request.new env
  if request.ssl?
    @app.call(env).tap do |status, headers, body|
      set_hsts_header! headers
      flag_cookies_as_secure! headers if @secure_cookies
    end
  else
    return redirect_to_https request unless @exclude.call(request)
    @app.call(env)
  end
end

def flag_cookies_as_secure!(headers) 

def flag_cookies_as_secure!(headers)
  if cookies = headers['Set-Cookie'.freeze]
    cookies = cookies.split("\n".freeze)
    headers['Set-Cookie'.freeze] = cookies.map { |cookie|
      if cookie !~ /;\s*secure\s*(;|$)/i
        "#{cookie}; secure"
      else
        cookie
      end
    }.join("\n".freeze)
  end
end

def https_location_for(request) 

def https_location_for(request)
  host = @redirect[:host] || request.host
  port = @redirect[:port] || request.port
  location = "https://#{host}"
  location << ":#{port}" if port != 80 && port != 443
  location << request.fullpath
  location
end

def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options) 

def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
  @app = app
  if options[:host] || options[:port]
    ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
      The `:host` and `:port` options are moving within `:redirect`:
      `config.ssl_options = { redirect: { host: …, port: … } }`.
    end_warning
    @redirect = options.slice(:host, :port)
  else
    @redirect = redirect
  end
  @exclude = @redirect && @redirect[:exclude] || proc { !@redirect }
  @secure_cookies = secure_cookies
  if hsts != true && hsts != false && hsts[:subdomains].nil?
    hsts[:subdomains] = false
    ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
      In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if
      unspecified. Set `config.ssl_options = { hsts: { subdomains: false } }` to opt out
      of this behavior.
    end_warning
  end
  @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
end

def normalize_hsts_options(options) 

def normalize_hsts_options(options)
  case options
  # Explicitly disabling HSTS clears the existing setting from browsers
  # by setting expiry to 0.
  when false
    self.class.default_hsts_options.merge(expires: 0)
  # Default to enabled, with default options.
  when nil, true
    self.class.default_hsts_options
  else
    self.class.default_hsts_options.merge(options)
  end
end

def redirect_to_https(request) 

def redirect_to_https(request)
  [ @redirect.fetch(:status, redirection_status(request)),
    { 'Content-Type' => 'text/html',
      'Location' => https_location_for(request) },
    @redirect.fetch(:body, []) ]
end

def redirection_status(request) 

def redirection_status(request)
  if request.get? || request.head?
    301 # Issue a permanent redirect via a GET request.
  else
    307 # Issue a fresh request redirect to preserve the HTTP method.
  end
end

def set_hsts_header!(headers) 

def set_hsts_header!(headers)
  headers['Strict-Transport-Security'.freeze] ||= @hsts_header
end