lib/lotus/loader.rb in lotusrb-0.3.2 vs lib/lotus/loader.rb in lotusrb-0.4.0
- old
+ new
@@ -11,10 +11,14 @@
# Load an application
#
# @since 0.1.0
# @api private
class Loader
+
+ STRICT_TRANSPORT_SECURITY_HEADER = 'Strict-Transport-Security'.freeze
+ STRICT_TRANSPORT_SECURITY_DEFAULT_VALUE = 'max-age=31536000'.freeze
+
def initialize(application)
@application = application
@configuration = @application.configuration
@mutex = Mutex.new
@@ -52,17 +56,25 @@
default_format config.default_format
default_headers({
Lotus::Config::Security::X_FRAME_OPTIONS_HEADER => config.security.x_frame_options,
Lotus::Config::Security::CONTENT_SECURITY_POLICY_HEADER => config.security.content_security_policy
})
+ default_headers.merge!(STRICT_TRANSPORT_SECURITY_HEADER => STRICT_TRANSPORT_SECURITY_DEFAULT_VALUE) if config.force_ssl
if config.cookies.enabled?
require 'lotus/action/cookies'
prepare { include Lotus::Action::Cookies }
cookies config.cookies.default_options
end
- prepare { include Lotus::Action::Session } if config.sessions.enabled?
+
+ if config.sessions.enabled?
+ prepare do
+ include Lotus::Action::Session
+ include Lotus::Action::CSRFProtection
+ end
+ end
+
prepare { include Lotus::Action::RoutingHelpers }
config.controller.__apply(self)
end
@@ -181,9 +193,11 @@
resolver: resolver,
default_app: default_app,
scheme: configuration.scheme,
host: configuration.host,
port: configuration.port,
+ prefix: configuration.path_prefix,
+ force_ssl: configuration.force_ssl,
&configuration.routes
)
end
def namespace