1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

20 commits

Author SHA1 Message Date
Kasper Timm Hansen
493313228a Rename constrain_to to exclude.
`ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some.
The `constrain_to` option inverts this, so it sounds like the middleware
only handles a few requests, rather than the majority with a few routes to
opt out of the redirect.

Renaming to `exclude` matches this intent more closely.
2016-03-03 21:09:58 +01:00
Greg Molnar
97b9e32d23 add constraint_to option to SSL middleware 2016-02-28 22:55:26 +01:00
Prathamesh Sonpatki
31cf0f5571 Added deprecation for older apps
- For old apps which are not setting any value for hsts[:subdomains],
  a deprecation warning will be shown saying that hsts[:subdomains] will
  be turned on by default in Rails 5.1. Currently it will be set to
  false for backward compatibility.
- Adjusted tests to reflect this change.
2016-02-25 10:18:53 +05:30
Prathamesh Sonpatki
70e73e4d4c Remove splat operator warning from ssl_test
- Removes following warning -

  `rails/actionpack/test/dispatch/ssl_test.rb:203: warning: `*' interpreted as argument prefix`.
2016-01-07 13:53:10 +05:30
Tim Rogers
32b1c90837 Flexible configuration for ActionDispatch::SSL 2015-12-29 13:07:51 +00:00
Jeremy Daer
f674922462 Make config.force_ssl less dangerous to try and easier to disable
SSL redirect:
* Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
* Introduce `:status` and `:body` to customize the redirect response.
  The 301 permanent default makes it difficult to test the redirect and
  back out of it since browsers remember the 301. Test with a 302 or 307
  instead, then switch to 301 once you're confident that all is well.

HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,
  the low end for https://www.ssllabs.com/ssltest/ grading and greater
  than the 18-week minimum to qualify for browser preload lists.
* Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }`
  instead of omitting the header. Omitting does nothing to disable HSTS
  since browsers hang on to your previous settings until they expire.
  Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
  actually disables HSTS:
    http://tools.ietf.org/html/rfc6797#section-6.1.1
* HSTS Preload. Introduce `preload: true` to set the `preload` flag,
  indicating that your site may be included in browser preload lists,
  including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
    https://hstspreload.appspot.com
2015-09-07 17:57:20 -07:00
Fumiaki MATSUSHIMA
bb0186cf55 ActionDispatch::SSL should keep original header's behavior
`ActionDispatch::SSL` changes headers to `Hash`.
So some headers will be broken if there are some middlewares
on ActionDispatch::SSL and if it uses `Rack::Utils::HeaderHash`.
2015-06-14 23:20:04 +09:00
Rafael Mendonça França
bb6fe7e73a Consistent usage of spaces in hashes across our codebase 2015-01-29 12:19:41 -02:00
Kir Shatrov
baf14ae513 Switch to kwargs in ActionController::TestCase and ActionDispatch::Integration
Non-kwargs requests are deprecated now.
Guides are updated as well.

`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
2015-01-29 14:44:46 +02:00
Andriel Nuernberg
85e424de6c Avoid URI parsing
This parsing is unecessary once the Request object already has the
needed information.
2014-04-09 14:19:53 -03:00
Yamagishi Kazutoshi
ce89251bb2 Space is not required for Set-Cookie header 2013-07-05 15:40:14 +09:00
Guillermo Iguaran
d6bc2fa5a9 Merge pull request #11069 from ykzts/actiondispatch-ssl-secure-flag-igonore-case
Flag cookies as secure with ignore case in ActionDispatch::SSL
2013-06-24 14:24:03 -07:00
Yamagishi Kazutoshi
891fd78cd7 Flag cookies as secure with ignore case in ActionDispatch::SSL 2013-06-24 18:01:30 +09:00
Geoff Buesing
d8bf1f22de ActionDispatch:SSL: don't include STS header in non-https responses 2013-06-23 20:01:20 -05:00
Andrew White
add4375a60 Allow use of durations for ActionDispatch::SSL configuration 2013-01-04 16:20:23 +00:00
Rafael Mendonça França
5294ad82c6 Alias refute methods to assert_not and perfer assert_not on tests 2012-12-31 13:58:52 -03:00
Rafael Mendonça França
6e04a78462 Fix secure cookies when there are more than one space before the secure
keyword
2012-03-19 16:31:57 -03:00
Rafael Mendonça França
139bf55b26 Remove exclude option from ActionDispatch::SSL 2012-03-19 16:31:52 -03:00
Rafael Mendonça França
041f4eec39 Some refactoring and update ActionDispatch::SSL code to use the Rack 1.4.x 2012-03-17 13:36:35 -03:00
Rafael Mendonça França
9ec63eb049 Rack::SSL -> ActionDispatch::SSL 2012-03-17 13:36:35 -03:00