mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #31720 from grantbdev/update_default_hsts_max_age
Update default HSTS max-age value to 1 year
This commit is contained in:
commit
efd3338b19
2 changed files with 6 additions and 7 deletions
|
@ -26,8 +26,8 @@ module ActionDispatch
|
|||
# Set +config.ssl_options+ with <tt>hsts: { ... }</tt> to configure HSTS:
|
||||
#
|
||||
# * +expires+: How long, in seconds, these settings will stick. The minimum
|
||||
# required to qualify for browser preload lists is 18 weeks. Defaults to
|
||||
# 180 days (recommended).
|
||||
# required to qualify for browser preload lists is 1 year. Defaults to
|
||||
# 1 year (recommended).
|
||||
#
|
||||
# * +subdomains+: Set to +true+ to tell the browser to apply these settings
|
||||
# to all subdomains. This protects your cookies from interception by a
|
||||
|
@ -47,9 +47,8 @@ module ActionDispatch
|
|||
class SSL
|
||||
# :stopdoc:
|
||||
|
||||
# Default to 180 days, the low end for https://www.ssllabs.com/ssltest/
|
||||
# and greater than the 18-week requirement for browser preload lists.
|
||||
HSTS_EXPIRES_IN = 15552000
|
||||
# Default to 1 year, the minimum for browser preload lists.
|
||||
HSTS_EXPIRES_IN = 31536000
|
||||
|
||||
def self.default_hsts_options
|
||||
{ expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
|
||||
|
|
|
@ -98,8 +98,8 @@ class RedirectSSLTest < SSLTest
|
|||
end
|
||||
|
||||
class StrictTransportSecurityTest < SSLTest
|
||||
EXPECTED = "max-age=15552000"
|
||||
EXPECTED_WITH_SUBDOMAINS = "max-age=15552000; includeSubDomains"
|
||||
EXPECTED = "max-age=31536000"
|
||||
EXPECTED_WITH_SUBDOMAINS = "max-age=31536000; includeSubDomains"
|
||||
|
||||
def assert_hsts(expected, url: "https://example.org", hsts: { subdomains: true }, headers: {})
|
||||
self.app = build_app ssl_options: { hsts: hsts }, headers: headers
|
||||
|
|
Loading…
Reference in a new issue