rack-ssl-enforcer 0.1.9 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.rdoc +10 -4
- data/lib/rack/ssl-enforcer.rb +11 -0
- data/lib/rack/ssl-enforcer/version.rb +1 -1
- metadata +3 -3
data/README.rdoc
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
=
|
|
1
|
+
= Rack::SslEnforcer
|
|
2
2
|
|
|
3
|
-
Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections
|
|
3
|
+
Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections. As of Version 0.2.0, Rack::SslEnforcer marks
|
|
4
|
+
Cookies as secure and enables HSTS by default.
|
|
4
5
|
|
|
5
6
|
|
|
6
7
|
== Installation
|
|
@@ -29,11 +30,15 @@ And force http for non-https path
|
|
|
29
30
|
|
|
30
31
|
use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
|
|
31
32
|
|
|
33
|
+
To set HSTS expiry and subdomain inclusion (defaults: one year, true)
|
|
34
|
+
|
|
35
|
+
use Rack::SslEnforcer, :hsts => {:expires => 500, :subdomains => false}
|
|
36
|
+
|
|
32
37
|
|
|
33
38
|
== TODO
|
|
34
39
|
|
|
35
|
-
* Add HSTS support, see http://en.wikipedia.org/wiki/Strict_Transport_Security
|
|
36
40
|
* Add configuration option to specify local http / https ports
|
|
41
|
+
* Cleanup tests
|
|
37
42
|
|
|
38
43
|
|
|
39
44
|
== Contributors
|
|
@@ -56,7 +61,8 @@ Flagging cookies as secure functionality is greatly inspired by {Joshua Peek's R
|
|
|
56
61
|
* Add tests for it. This is important so I don't break it in a
|
|
57
62
|
future version unintentionally.
|
|
58
63
|
* Commit, do not mess with rakefile, version, or history.
|
|
59
|
-
(if you want to have your own version,
|
|
64
|
+
(if you want to have your own version,
|
|
65
|
+
that is fine but bump version in a commit by itself I can ignore when I pull)
|
|
60
66
|
* Send me a pull request. Bonus points for topic branches.
|
|
61
67
|
|
|
62
68
|
|
data/lib/rack/ssl-enforcer.rb
CHANGED
|
@@ -20,12 +20,14 @@ module Rack
|
|
|
20
20
|
elsif ssl_request?(env)
|
|
21
21
|
status, headers, body = @app.call(env)
|
|
22
22
|
flag_cookies_as_secure!(headers)
|
|
23
|
+
set_hsts_headers!(headers)
|
|
23
24
|
[status, headers, body]
|
|
24
25
|
else
|
|
25
26
|
@app.call(env)
|
|
26
27
|
end
|
|
27
28
|
end
|
|
28
29
|
|
|
30
|
+
|
|
29
31
|
private
|
|
30
32
|
|
|
31
33
|
def ssl_request?(env)
|
|
@@ -69,6 +71,7 @@ module Rack
|
|
|
69
71
|
scheme == 'https' ? 443 : 80
|
|
70
72
|
end
|
|
71
73
|
|
|
74
|
+
# see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_hijacking
|
|
72
75
|
def flag_cookies_as_secure!(headers)
|
|
73
76
|
if cookies = headers['Set-Cookie']
|
|
74
77
|
headers['Set-Cookie'] = cookies.split("\n").map { |cookie|
|
|
@@ -81,5 +84,13 @@ module Rack
|
|
|
81
84
|
end
|
|
82
85
|
end
|
|
83
86
|
|
|
87
|
+
# see http://en.wikipedia.org/wiki/Strict_Transport_Security
|
|
88
|
+
def set_hsts_headers!(headers)
|
|
89
|
+
opts = { :expires => 31536000, :subdomains => true }.merge(@options[:hsts] || {})
|
|
90
|
+
value = "max-age=#{opts[:expires]}"
|
|
91
|
+
value += "; includeSubDomains" if opts[:subdomains]
|
|
92
|
+
headers.merge!({ 'Strict-Transport-Security' => value })
|
|
93
|
+
end
|
|
94
|
+
|
|
84
95
|
end
|
|
85
96
|
end
|