Class: ActionDispatch::SSL
- Inherits:
-
Object
- Object
- ActionDispatch::SSL
- Defined in:
- lib/action_dispatch/middleware/ssl.rb
Overview
This middleware is added to the stack when config.force_ssl = true
, and is passed the options set in config.ssl_options
. It does three jobs to enforce secure HTTP requests:
-
TLS redirect: Permanently redirects
http://
requests tohttps://
with the same URL host, path, etc. Enabled by default. Setconfig.ssl_options
to modify the destination URL (e.g.redirect: { host: "secure.widgets.com", port: 8080 }
), or setredirect: false
to disable this feature.Requests can opt-out of redirection with
exclude
:config. = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
Cookies will not be flagged as secure for excluded requests.
-
Secure cookies: Sets the
secure
flag on cookies to tell browsers they must not be sent along withhttp://
requests. Enabled by default. Setconfig.ssl_options
withsecure_cookies: false
to disable this feature. -
HTTP Strict Transport Security (HSTS): Tells the browser to remember this site as TLS-only and automatically redirect non-TLS requests. Enabled by default. Configure
config.ssl_options
withhsts: false
to disable.Set
config.ssl_options
withhsts: { ... }
to configure HSTS:-
expires
: How long, in seconds, these settings will stick. The minimum required to qualify for browser preload lists is 1 year. Defaults to 1 year (recommended). -
subdomains
: Set totrue
to tell the browser to apply these settings to all subdomains. This protects your cookies from interception by a vulnerable site on a subdomain. Defaults totrue
. -
preload
: Advertise that this site may be included in browsers' preloaded HSTS lists. HSTS protects your site on every visit except the first visit since it hasn't seen your HSTS header yet. To close this gap, browser vendors include a baked-in list of HSTS-enabled sites. Go to hstspreload.org to submit your site for inclusion. Defaults tofalse
.
To turn off HSTS, omitting the header is not enough. Browsers will remember the original HSTS directive until it expires. Instead, use the header to tell browsers to expire HSTS immediately. Setting
hsts: false
is a shortcut forhsts: { expires: 0 }
. -
Constant Summary collapse
- HSTS_EXPIRES_IN =
Default to 1 year, the minimum for browser preload lists.
31536000
Class Method Summary collapse
Instance Method Summary collapse
- #call(env) ⇒ Object
-
#initialize(app, redirect: {}, hsts: {}, secure_cookies: true) ⇒ SSL
constructor
A new instance of SSL.
Constructor Details
#initialize(app, redirect: {}, hsts: {}, secure_cookies: true) ⇒ SSL
Returns a new instance of SSL.
59 60 61 62 63 64 65 66 67 68 |
# File 'lib/action_dispatch/middleware/ssl.rb', line 59 def initialize(app, redirect: {}, hsts: {}, secure_cookies: true) @app = app @redirect = redirect @exclude = @redirect && @redirect[:exclude] || proc { !@redirect } @secure_cookies = @hsts_header = build_hsts_header((hsts)) end |
Class Method Details
.default_hsts_options ⇒ Object
55 56 57 |
# File 'lib/action_dispatch/middleware/ssl.rb', line 55 def self. { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false } end |
Instance Method Details
#call(env) ⇒ Object
70 71 72 73 74 75 76 77 78 79 80 81 82 |
# File 'lib/action_dispatch/middleware/ssl.rb', line 70 def call(env) request = Request.new env if request.ssl? @app.call(env).tap do |status, headers, body| set_hsts_header! headers headers if @secure_cookies && !@exclude.call(request) end else return redirect_to_https request unless @exclude.call(request) @app.call(env) end end |