rack-ssl-enforcer 0.1.9 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +10 -4
- data/lib/rack/ssl-enforcer.rb +11 -0
- data/lib/rack/ssl-enforcer/version.rb +1 -1
- metadata +3 -3
data/README.rdoc
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
=
|
|
1
|
+
= Rack::SslEnforcer
|
|
2
2
|
|
|
3
|
-
Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections
|
|
3
|
+
Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections. As of Version 0.2.0, Rack::SslEnforcer marks
|
|
4
|
+
Cookies as secure and enables HSTS by default.
|
|
4
5
|
|
|
5
6
|
|
|
6
7
|
== Installation
|
|
@@ -29,11 +30,15 @@ And force http for non-https path
|
|
|
29
30
|
|
|
30
31
|
use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
|
|
31
32
|
|
|
33
|
+
To set HSTS expiry and subdomain inclusion (defaults: one year, true)
|
|
34
|
+
|
|
35
|
+
use Rack::SslEnforcer, :hsts => {:expires => 500, :subdomains => false}
|
|
36
|
+
|
|
32
37
|
|
|
33
38
|
== TODO
|
|
34
39
|
|
|
35
|
-
* Add HSTS support, see http://en.wikipedia.org/wiki/Strict_Transport_Security
|
|
36
40
|
* Add configuration option to specify local http / https ports
|
|
41
|
+
* Cleanup tests
|
|
37
42
|
|
|
38
43
|
|
|
39
44
|
== Contributors
|
|
@@ -56,7 +61,8 @@ Flagging cookies as secure functionality is greatly inspired by {Joshua Peek's R
|
|
|
56
61
|
* Add tests for it. This is important so I don't break it in a
|
|
57
62
|
future version unintentionally.
|
|
58
63
|
* Commit, do not mess with rakefile, version, or history.
|
|
59
|
-
(if you want to have your own version,
|
|
64
|
+
(if you want to have your own version,
|
|
65
|
+
that is fine but bump version in a commit by itself I can ignore when I pull)
|
|
60
66
|
* Send me a pull request. Bonus points for topic branches.
|
|
61
67
|
|
|
62
68
|
|
data/lib/rack/ssl-enforcer.rb
CHANGED
|
@@ -20,12 +20,14 @@ module Rack
|
|
|
20
20
|
elsif ssl_request?(env)
|
|
21
21
|
status, headers, body = @app.call(env)
|
|
22
22
|
flag_cookies_as_secure!(headers)
|
|
23
|
+
set_hsts_headers!(headers)
|
|
23
24
|
[status, headers, body]
|
|
24
25
|
else
|
|
25
26
|
@app.call(env)
|
|
26
27
|
end
|
|
27
28
|
end
|
|
28
29
|
|
|
30
|
+
|
|
29
31
|
private
|
|
30
32
|
|
|
31
33
|
def ssl_request?(env)
|
|
@@ -69,6 +71,7 @@ module Rack
|
|
|
69
71
|
scheme == 'https' ? 443 : 80
|
|
70
72
|
end
|
|
71
73
|
|
|
74
|
+
# see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_hijacking
|
|
72
75
|
def flag_cookies_as_secure!(headers)
|
|
73
76
|
if cookies = headers['Set-Cookie']
|
|
74
77
|
headers['Set-Cookie'] = cookies.split("\n").map { |cookie|
|
|
@@ -81,5 +84,13 @@ module Rack
|
|
|
81
84
|
end
|
|
82
85
|
end
|
|
83
86
|
|
|
87
|
+
# see http://en.wikipedia.org/wiki/Strict_Transport_Security
|
|
88
|
+
def set_hsts_headers!(headers)
|
|
89
|
+
opts = { :expires => 31536000, :subdomains => true }.merge(@options[:hsts] || {})
|
|
90
|
+
value = "max-age=#{opts[:expires]}"
|
|
91
|
+
value += "; includeSubDomains" if opts[:subdomains]
|
|
92
|
+
headers.merge!({ 'Strict-Transport-Security' => value })
|
|
93
|
+
end
|
|
94
|
+
|
|
84
95
|
end
|
|
85
96
|
end
|