class ActionDispatch::SSL
is a shortcut for ‘hsts: { expires: 0 }`.
header to tell browsers to expire HSTS immediately. Setting `hsts: false`
remember the original HSTS directive until it expires. Instead, use the
To turn off HSTS, omitting the header is not enough. Browsers will
inclusion. Defaults to `false`.
sites. Go to hstspreload.org to submit your site for
this gap, browser vendors include a baked-in list of HSTS-enabled
the first visit* since it hasn’t seen your HSTS header yet. To close
preloaded HSTS lists. HSTS protects your site on every visit *except
* ‘preload`: Advertise that this site may be included in browsers’
interception by a vulnerable site on a subdomain. Defaults to ‘true`.
settings to all subdomains. This protects your cookies from
* `subdomains`: Set to `true` to tell the browser to apply these
Defaults to 2 years (recommended).
minimum required to qualify for browser preload lists is 1 year.
* `expires`: How long, in seconds, these settings will stick. The
Set `config.ssl_options` with `hsts: { … }` to configure HSTS:
by default. Configure `config.ssl_options` with `hsts: false` to disable.
this site as TLS-only and automatically redirect non-TLS requests. Enabled
3. **HTTP Strict Transport Security (HSTS)**: Tells the browser to remember
feature.
Set `config.ssl_options` with `secure_cookies: false` to disable this
they must not be sent along with `http://` requests. Enabled by default.
2. **Secure cookies**: Sets the `secure` flag on cookies to tell browsers
config.assume_ssl = true
that the request really is HTTPS, set `config.assume_ssl` to `true`:
To make the server assume that the proxy already terminated SSL, and
This makes redirects and cookie security target HTTP instead of HTTPS.
request will appear as though it’s HTTP instead of HTTPS to the application.
When proxying through a load balancer that terminates SSL, the forwarded
Cookies will not be flagged as secure for excluded requests.
config.ssl_options = { redirect: { exclude: -> request { request.path == “/up” } } }
Requests can opt-out of redirection with ‘exclude`:
Or set `redirect: false` to disable redirection.
config.ssl_options = { redirect: { host: “secure.widgets.com”, port: 8080 }`
`config.ssl_options` to modify the destination URL:
with the same URL host, path, etc. Enabled by default. Set
1. **TLS redirect**: Permanently redirects `http://` requests to `https://`
secure HTTP requests:
passed the options set in `config.ssl_options`. It does three jobs to enforce
This middleware is added to the stack when `config.force_ssl = true`, and is
# Action Dispatch SSL
def self.default_hsts_options
def self.default_hsts_options { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false } end
def build_hsts_header(hsts)
def build_hsts_header(hsts) value = +"max-age=#{hsts[:expires].to_i}" value << "; includeSubDomains" if hsts[:subdomains] value << "; preload" if hsts[:preload] value end
def call(env)
def call(env) request = Request.new env if request.ssl? @app.call(env).tap do |status, headers, body| set_hsts_header! headers flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request) end else return redirect_to_https request unless @exclude.call(request) @app.call(env) end end
def flag_cookies_as_secure!(headers)
def flag_cookies_as_secure!(headers) cookies = headers[Rack::SET_COOKIE] return unless cookies if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3") cookies = cookies.split("\n") headers[Rack::SET_COOKIE] = cookies.map { |cookie| if !/;\s*secure\s*(;|$)/i.match?(cookie) "#{cookie}; secure" else cookie end }.join("\n") else headers[Rack::SET_COOKIE] = Array(cookies).map do |cookie| if !/;\s*secure\s*(;|$)/i.match?(cookie) "#{cookie}; secure" else cookie end end end end
def https_location_for(request)
def https_location_for(request) host = @redirect[:host] || request.host port = @redirect[:port] || request.port location = +"https://#{host}" location << ":#{port}" if port != 80 && port != 443 location << request.fullpath location end
def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, ssl_default_redirect_status: nil)
def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, ssl_default_redirect_status: nil) @app = app @redirect = redirect @exclude = @redirect && @redirect[:exclude] || proc { !@redirect } @secure_cookies = secure_cookies @hsts_header = build_hsts_header(normalize_hsts_options(hsts)) @ssl_default_redirect_status = ssl_default_redirect_status end
def normalize_hsts_options(options)
def normalize_hsts_options(options) case options # Explicitly disabling HSTS clears the existing setting from browsers by setting # expiry to 0. when false self.class.default_hsts_options.merge(expires: 0) # Default to enabled, with default options. when nil, true self.class.default_hsts_options else self.class.default_hsts_options.merge(options) end end
def redirect_to_https(request)
def redirect_to_https(request) [ @redirect.fetch(:status, redirection_status(request)), { Rack::CONTENT_TYPE => "text/html; charset=utf-8", Constants::LOCATION => https_location_for(request) }, (@redirect[:body] || []) ] end
def redirection_status(request)
def redirection_status(request) if PERMANENT_REDIRECT_REQUEST_METHODS.include?(request.raw_request_method) 301 # Issue a permanent redirect via a GET request. elsif @ssl_default_redirect_status @ssl_default_redirect_status else 307 # Issue a fresh request redirect to preserve the HTTP method. end end
def set_hsts_header!(headers)
def set_hsts_header!(headers) headers[Constants::STRICT_TRANSPORT_SECURITY] ||= @hsts_header end