Sha256: 9088a500a5d5497cc86a02189c7f8a4c3931e0003626e9b4ed48cd4686ca7e3f

Contents?: true

Size: 1.74 KB

Versions: 61

Compression:

Stored size: 1.74 KB

Contents

module ActionDispatch
  class SSL
    YEAR = 31536000

    def self.default_hsts_options
      { :expires => YEAR, :subdomains => false }
    end

    def initialize(app, options = {})
      @app = app

      @hsts = options.fetch(:hsts, {})
      @hsts = {} if @hsts == true
      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts

      @host    = options[:host]
      @port    = options[:port]
    end

    def call(env)
      request = Request.new(env)

      if request.ssl?
        status, headers, body = @app.call(env)
        headers = hsts_headers.merge(headers)
        flag_cookies_as_secure!(headers)
        [status, headers, body]
      else
        redirect_to_https(request)
      end
    end

    private
      def redirect_to_https(request)
        host = @host || request.host
        port = @port || request.port

        location = "https://#{host}"
        location << ":#{port}" if port != 80
        location << request.fullpath

        headers = { 'Content-Type' => 'text/html', 'Location' => location }

        [301, headers, []]
      end

      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
      def hsts_headers
        if @hsts
          value = "max-age=#{@hsts[:expires].to_i}"
          value += "; includeSubDomains" if @hsts[:subdomains]
          { 'Strict-Transport-Security' => value }
        else
          {}
        end
      end

      def flag_cookies_as_secure!(headers)
        if cookies = headers['Set-Cookie']
          cookies = cookies.split("\n")

          headers['Set-Cookie'] = cookies.map { |cookie|
            if cookie !~ /;\s*secure\s*(;|$)/i
              "#{cookie}; secure"
            else
              cookie
            end
          }.join("\n")
        end
      end
  end
end

Version data entries

61 entries across 60 versions & 6 rubygems

Version Path
actionpack-4.1.12 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.3.rc1 lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.12.rc1 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.2 lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.11 lib/action_dispatch/middleware/ssl.rb
shoppe-paypal-1.1.0 vendor/bundle/ruby/2.1.0/gems/actionpack-4.2.1/lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.10 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.1 lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.10.rc4 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.1.rc4 lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.10.rc3 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.1.rc3 lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.10.rc2 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.1.rc2 lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.10.rc1 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.1.rc1 lib/action_dispatch/middleware/ssl.rb
activejob-lock-0.0.1 rails/actionpack/lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.9 lib/action_dispatch/middleware/ssl.rb
actionpack-4.1.9.rc1 lib/action_dispatch/middleware/ssl.rb
actionpack-4.2.0 lib/action_dispatch/middleware/ssl.rb