rack-ssl-enforcer 0.2.4 → 0.2.5

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009 Tobias Matthies
+Copyright (c) 2009-2012 Tobias Matthies
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -0,0 +1,220 @@
+# Rack::SslEnforcer [![Build Status](https://secure.travis-ci.org/tobmatth/rack-ssl-enforcer.png?branch=master)](http://travis-ci.org/tobmatth/rack-ssl-enforcer)
+
+Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
+Cookies as secure by default (HSTS must be set manually).
+
+Tested against Ruby 1.8.7, 1.9.2, 1.9.3, ruby-head, REE and the latest versions of Rubinius & JRuby.
+
+## Installation
+
+The simplest way to install Rack::SslEnforcer is to use [Bundler](http://gembundler.com/).
+
+Add Rack::SslEnforcer to your `Gemfile`:
+
+```ruby
+ gem 'rack-ssl-enforcer'
+```
+
+### Installing on Sinatra / Padrino application
+
+In order for Rack::SslEnforcer to properly work it has to be at the top
+of the Rack Middleware.
+
+Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer 
+and will prevent Rack::Ssl::Enforcer from marking cookies as secure.
+
+To fix this issue do not use `enable :sessions` instead add the
+Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.  
+
+Eg:
+
+    use Rack::SslEnforcer 
+    set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
+  
+    #Enable sinatra sessions
+    use Rack::Session::Cookie, :key => '_rack_session',
+                               :path => '/',
+                               :expire_after => 2592000, # In seconds
+                               :secret => session_secret
+
+
+## Basic Usage
+
+If you don't use Bundler, be sure to require Rack::SslEnforcer manually before actually using the middleware:
+
+```ruby
+ require 'rack/ssl-enforcer'
+ use Rack::SslEnforcer
+```
+
+To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (`config/application.rb` for Rails 3, `config/environment.rb` for Rails 2):
+
+```ruby
+config.middleware.use Rack::SslEnforcer
+```
+
+If all you want is SSL for your whole application, you are done! Otherwise, you can specify some options described below.
+
+## Options
+
+### Host constraints
+
+You can enforce SSL connections only for certain hosts with `:only_hosts`, or prevent certain hosts from being forced to SSL with `:except_hosts`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
+# Please note that, for instance, both http://help.example.com/demo and https://help.example.com/demo would be accessible here
+
+config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
+
+config.middleware.use Rack::SslEnforcer, :only_hosts => [/[secure|admin]\.example\.org$/, 'api.example.com']
+```
+
+### Path constraints
+
+You can enforce SSL connections only for certain paths with `:only`, or prevent certain paths from being forced to SSL with `:except`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login'
+# Please note that, for instance, both http://example.com/demo and https://example.com/demo would be accessible here
+
+config.middleware.use Rack::SslEnforcer, :only => %r{^/admin/}
+
+config.middleware.use Rack::SslEnforcer, :except => ['/demo', %r{^/public/}]
+```
+
+### Method constraints
+
+You can enforce SSL connections only for certain HTTP methods with `:only_methods`, or prevent certain HTTP methods from being forced to SSL with `:except_methods`. Constraints can be a `String` or an array of `String`, as shown in the following examples:
+
+```ruby
+# constraint as a String
+config.middleware.use Rack::SslEnforcer, :only_methods => 'POST'
+# Please note that, for instance, GET requests would be accessible via SSL and non-SSL connection here
+
+config.middleware.use Rack::SslEnforcer, :except_methods => ['GET', 'HEAD']
+```
+
+Note: The `:hosts` constraint takes precedence over the `:path` constraint. Please see the tests for examples.
+
+### Force-redirection to non-SSL connection if constraint is not matched
+
+Use the `:strict` option to force non-SSL connection for all requests not matching the constraints you set. Examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
+# https://example.com/demo would be redirected to http://example.com/demo
+
+config.middleware.use Rack::SslEnforcer, :except_hosts => 'demo.example.com', :strict => true
+# https://demo.example.com would be redirected to http://demo.example.com
+```
+
+### Automatic method constraints
+
+In the case where you have matching URLs with different HTTP methods – for instance Rails RESTful routes: `GET /users`, `POST /users`, `GET /user/:id` and `PUT /user/:id` – you may need to force POST and PUT requests to SSL connection but redirect to non-SSL connection on GET.
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
+```
+
+The above will allow you to POST/PUT from the secure/non-secure URLs keeping the original schema.
+
+### HTTP Strict Transport Security (HSTS)
+
+To set HSTS expiry and subdomain inclusion (defaults respectively to `one year` and `true`).
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
+config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
+```
+Please note that the strict option disables HSTS.
+
+### Redirect to specific URL (e.g. if you're using a proxy)
+
+You might need the `:redirect_to` option if the requested URL can't be determined.
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
+```
+
+### Custom HTTP port
+
+If you're using a different port than the default (80) for HTTP, you can specify it with the `:http_port` option:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :http_port => 8080
+```
+
+### Custom HTTPS port
+
+If you're using a different port than the default (443) for HTTPS, you can specify it with the `:https_port` option:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :https_port => 444
+```
+
+### Secure cookies disabling
+
+Finally you might want to share a cookie based session between HTTP and HTTPS.
+This is not possible by default with Rack::SslEnforcer for [security reasons](http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking).
+
+Nevertheless, you can set the `:force_secure_cookies` option to `false` in order to be able to share a cookie based session between HTTP and HTTPS:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
+```
+
+But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
+This can be done using a coder with [Rack::Session::Cookie](https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42).
+
+## Deployment
+
+If you run your application behind a proxy (e.g. Nginx) you may need to do some configuration on that side. If you don't you may experience an infinite redirect loop.
+
+The reason this happens is that Rack::SslEnforcer can't detect if you are running SSL or not. The solution is to have your front-end server send extra headers for Rack::SslEnforcer to identify the request protocol.
+
+### Nginx
+
+In the `location` block for your app's SSL configuration, include the following proxy header configuration:
+
+`proxy_set_header   X-Forwarded-Proto https;`
+
+### Passenger
+
+Or, if you're using mod_rails/passenger (which will ignore the proxy_xxx directives):
+
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;`
+
+If you're sharing a single `server` block for http AND https access you can add:
+
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;`
+
+This makes sure that Rack::SslEnforcer knows it's being accessed over SSL. Just restart Nginx for these changes to take effect.
+
+## TODO
+
+* Cleanup tests
+
+## Contributors
+
+* [Dan Mayer](http://github.com/danmayer)
+* [Rémy Coutable](http://github.com/rymai)
+* [Thibaud Guillaume-Gentil](http://github.com/thibaudgg)
+* [Paul Annesley](https://github.com/pda)
+* [Saimon Moore](https://github.com/saimonmoore)
+
+## Credits
+
+Flagging cookies as secure functionality and HSTS support is greatly inspired by [Joshua Peek's Rack::SSL](https://github.com/josh/rack-ssl).
+
+## Note on Patches / Pull Requests
+
+* Fork the project.
+* Code your feature addition or bug fix.
+* **Add tests for it.** This is important so we don't break it in a future version unintentionally.
+* Commit, do not mess with Rakefile or version number. If you want to have your own version, that's fine but bump version in a commit by itself so we can ignore it when merging.
+* Send a pull request. Bonus points for topic branches.
+
+## Copyright
+
+Copyright (c) 2010-2012 Tobias Matthies. See LICENSE for details.

data/lib/rack/ssl-enforcer.rb

@@ -1,38 +1,46 @@
+require 'rack/ssl-enforcer/constraint'
+
 module Rack
+
   class SslEnforcer
 
+    CONSTRAINTS_BY_TYPE = {
+      :hosts   => [:only_hosts, :except_hosts],
+      :path    => [:only, :except],
+      :methods => [:only_methods, :except_methods]
+    }
+
     # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
-    #  are encoded and that you understand the consequences (see documentation)
+    # are encoded and that you understand the consequences (see documentation)
     def initialize(app, options={})
       default_options = {
-        :redirect_to => nil,
-        :only => nil,
-        :only_hosts => nil,
-        :except => nil,
-        :except_hosts => nil,
-        :strict => false,
-        :mixed => false,
-        :hsts => nil,
-        :http_port => nil,
-        :https_port => nil,
+        :redirect_to          => nil,
+        :strict               => false,
+        :mixed                => false,
+        :hsts                 => nil,
+        :http_port            => nil,
+        :https_port           => nil,
         :force_secure_cookies => true
       }
+      CONSTRAINTS_BY_TYPE.values.each { |constraint| default_options[constraint] = nil }
+
       @app, @options = app, default_options.merge(options)
     end
 
     def call(env)
-      @req = Rack::Request.new(env)
-      if enforce_ssl?(@req)
-        scheme = 'https' unless ssl_request?(env)
-      elsif ssl_request?(env) && enforcement_non_ssl?(env)
-        scheme = 'http'
+      @request = Rack::Request.new(env)
+
+      return @app.call(env) if ignore?
+
+      @scheme = if enforce_ssl?
+        'https'
+      elsif enforce_non_ssl?
+        'http'
       end
 
-      if scheme
-        location = replace_scheme(@req, scheme)
-        body     = "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>"
-        [301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
-      elsif ssl_request?(env)
+      if redirect_required?
+        modify_location_and_redirect
+      elsif ssl_request?
         status, headers, body = @app.call(env)
         flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
         set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
@@ -43,105 +51,113 @@ module Rack
     end
 
   private
+  
+    def redirect_required?
+      scheme_mismatch? || host_mismatch?
+    end
 
-    def enforcement_non_ssl?(env)
-      true if @options[:strict] || @options[:mixed] && !(env['REQUEST_METHOD'] == 'PUT' || env['REQUEST_METHOD'] == 'POST')
+    def ignore?
+      if @options[:ignore]
+        rules = [@options[:ignore]].flatten.compact
+        rules.any? do |rule|
+          SslEnforcerConstraint.new(:ignore, rule, @request).matches?
+        end
+      else
+        false
+      end
+    end
+    
+    def scheme_mismatch?
+      @scheme && @scheme != current_scheme
+    end
+    
+    def host_mismatch?
+      destination_host && destination_host != @request.host
+    end
+    
+    def modify_location_and_redirect
+      location = "#{current_scheme}://#{@request.host}#{@request.fullpath}"
+      location = replace_scheme(location, @scheme)
+      location = replace_host(location, @options[:redirect_to])
+      redirect_to(location)
+    end
+    
+    def redirect_to(location)
+      body = "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>"
+      [301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
     end
 
-    def ssl_request?(env)
-      scheme(env) == 'https'
+    def ssl_request?
+      current_scheme == 'https'
+    end
+    
+    def destination_host
+      if @options[:redirect_to]
+        host_parts = URI.split(@options[:redirect_to])
+        host_parts[2] || host_parts[5]
+      end
     end
 
     # Fixed in rack >= 1.3
-    def scheme(env)
-      if env['HTTPS'] == 'on'
+    def current_scheme
+      if @request.env['HTTPS'] == 'on'
         'https'
-      elsif env['HTTP_X_FORWARDED_PROTO']
-        env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+      elsif @request.env['HTTP_X_FORWARDED_PROTO']
+        @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
       else
-        env['rack.url_scheme']
+        @request.scheme
       end
     end
 
-    def matches?(key, pattern, req)
-      if pattern.is_a?(Regexp)
-        case key
-        when :only
-          req.path =~ pattern
-        when :except
-          req.path !~ pattern
-        when :only_hosts
-          req.host =~ pattern
-        when :except_hosts
-          req.host !~ pattern
-        end
+    def enforce_ssl_for?(keys)
+      provided_keys = keys.select { |key| @options[key] }
+      if provided_keys.empty?
+        true
       else
-        case key
-        when :only
-          req.path[0,pattern.length] == pattern
-        when :except
-          req.path[0,pattern.length] != pattern
-        when :only_hosts
-          req.host == pattern
-        when :except_hosts
-          req.host != pattern
-        end
-      end
-    end
-
-    def enforce_ssl_for?(keys, req)
-      if keys.any? { |option| @options[option] }
-        keys.any? do |key|
+        provided_keys.all? do |key|
           rules = [@options[key]].flatten.compact
-          unless rules.empty?
-            rules.send(key == :except_hosts || key == :except ? "all?" : "any?") do |pattern|
-              matches?(key, pattern, req)
-            end
+          rules.send([:except_hosts, :except].include?(key) ? :all? : :any?) do |rule|
+            SslEnforcerConstraint.new(key, rule, @request).matches?
           end
         end
-      else
-        false
       end
     end
 
-    def enforce_ssl?(req)
-      path_keys = [:only, :except]
-      hosts_keys = [:only_hosts, :except_hosts]
-      if hosts_keys.any? { |option| @options[option] }
-        if enforce_ssl_for?(hosts_keys, req)
-          if path_keys.any? { |option| @options[option] }
-            enforce_ssl_for?(path_keys, req)
-          else
-            true
-          end
-        else
-          false
-        end
-      elsif path_keys.any? { |option| @options[option] }
-        enforce_ssl_for?(path_keys, req)
-      else
-        true
-      end
+    def enforce_non_ssl?
+      @options[:strict] || @options[:mixed] && !(@request.request_method == 'PUT' || @request.request_method == 'POST')
     end
 
-    def replace_scheme(req, scheme)
-      if @options[:redirect_to]
-        uri = URI.split(@options[:redirect_to])
-        uri = uri[2] || uri[5]
-      else
-        uri = nil
+    def enforce_ssl?
+      CONSTRAINTS_BY_TYPE.inject(true) do |memo, (type, keys)|
+        memo && enforce_ssl_for?(keys)
       end
-      host = uri || req.host
-      port = port_for(scheme).to_s
-
-      URI.parse("#{scheme}://#{host}:#{port}#{req.fullpath}").to_s
     end
 
-    def port_for(scheme)
+    def replace_scheme(uri, scheme)
+      return uri if not scheme_mismatch?
+      
+      port = adjust_port_to(scheme)
+      uri_parts = URI.split(uri)
+      uri_parts[3] = port unless port.nil?
+      uri_parts[0] = scheme
+      URI::HTTP.new(*uri_parts).to_s
+    end
+    
+    def replace_host(uri, host)
+      return uri unless host_mismatch?
+      
+      host_parts = URI.split(host)
+      new_host = host_parts[2] || host_parts[5]
+      uri_parts = URI.split(uri)
+      uri_parts[2] = new_host
+      URI::HTTPS.new(*uri_parts).to_s
+    end
+    
+    def adjust_port_to(scheme)
       if scheme == 'https'
-        @options[:https_port] || 443
-      else
-        @options[:http_port] || 80
+        @options[:https_port] if @options[:https_port] && @options[:https_port] != URI::HTTPS.default_port
+      elsif scheme == 'http'
+        @options[:http_port] if @options[:http_port] && @options[:http_port] != URI::HTTP.default_port
       end
     end
 

data/lib/rack/ssl-enforcer/constraint.rb

@@ -0,0 +1,38 @@
+class SslEnforcerConstraint
+  def initialize(name, rule, request)
+    @name    = name
+    @rule    = rule
+    @request = request
+  end
+
+  def matches?
+    if @rule.is_a?(String) && [:only, :except].include?(@name)
+      result = tested_string[0, @rule.size].send(operator, @rule)
+    else
+      result = tested_string.send(operator, @rule)
+    end
+    
+    negate_result? ? !result : result
+  end
+
+private
+  
+  def negate_result?
+    @name.to_s =~ /except/
+  end
+
+  def operator
+    @rule.is_a?(Regexp) ? "=~" : "=="
+  end
+
+  def tested_string
+    case @name.to_s
+    when /hosts/
+      @request.host
+    when /methods/
+      @request.request_method
+    else
+      @request.path
+    end
+  end
+end

data/lib/rack/ssl-enforcer/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class SslEnforcer
-    VERSION = "0.2.4"
+    VERSION = "0.2.5"
   end
 end

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack-ssl-enforcer
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  hash: 29
+  prerelease: 
   segments: 
   - 0
   - 2
-  - 4
-  version: 0.2.4
+  - 5
+  version: 0.2.5
 platform: ruby
 authors: 
 - Tobias Matthies
@@ -15,8 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-09-05 00:00:00 +02:00
-default_executable: 
+date: 2012-11-14 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bundler
@@ -26,6 +26,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 15
         segments: 
         - 1
         - 0
@@ -40,6 +41,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 5
         segments: 
         - 2
         - 3
@@ -54,6 +56,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 37
         segments: 
         - 2
         - 11
@@ -69,6 +72,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 31
         segments: 
         - 1
         - 2
@@ -84,6 +88,7 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         - 5
@@ -102,12 +107,12 @@ extensions: []
 extra_rdoc_files: []
 
 files: 
+- lib/rack/ssl-enforcer/constraint.rb
 - lib/rack/ssl-enforcer/version.rb
 - lib/rack/ssl-enforcer.rb
 - lib/rack-ssl-enforcer.rb
 - LICENSE
-- README.rdoc
-has_rdoc: true
+- README.md
 homepage: http://github.com/tobmatth/rack-ssl-enforcer
 licenses: []
 
@@ -121,6 +126,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
@@ -129,6 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 23
       segments: 
       - 1
       - 3
@@ -137,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rack-ssl-enforcer
-rubygems_version: 1.3.7
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: A simple Rack middleware to enforce SSL

data/README.rdoc

@@ -1,111 +0,0 @@
-= Rack::SslEnforcer
-
-Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
-Cookies as secure by default (HSTS must be set manually).
-
-Tested on Ruby 1.8.7, 1.9.2, REE, JRuby and Rubinius.
-
-== Installation
-
-  gem install rack-ssl-enforcer
-
-
-== Basic Usage
-
-  require 'rack/ssl-enforcer'
-  use Rack::SslEnforcer
-
-Or, if you are using Bundler, just add this to your Gemfile:
-
-  gem 'rack-ssl-enforcer'
-
-To use Rack::SslEnforcer in your Rails application, add the following line to your application
-config file (<tt>config/application.rb</tt> for Rails 3, <tt>config/environment.rb</tt> for Rails 2):
-
-  config.middleware.use Rack::SslEnforcer
-
-If all you want is SSL for your whole application, you are done! However, you can specify some
-
-
-== Options
-
-You might need the :redirect_to option if the requested URL can't be determined (e.g. if using a proxy).
-
-  config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
-
-You can also define specific regex patterns or paths or hosts to redirect.
-
-  config.middleware.use Rack::SslEnforcer, :only => /^\/admin\//
-  config.middleware.use Rack::SslEnforcer, :only => "/login"
-  config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/]
-  config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
-  config.middleware.use Rack::SslEnforcer, :only_hosts => [/[www|api]\.example\.org$/, 'example.com']
-  config.middleware.use Rack::SslEnforcer, :except_hosts => 'help.example.com'
-  config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
-
-Note: hosts options take precedence over the path options. See tests for examples.
-
-Use the :strict option to force http for all requests not matching your :only specification
-
-  config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
-  config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com', :strict => true
-
-Or in the case where you have matching urls with different methods (Rails RESTful routes: get#users post#users || get#user/:id put#user/:id) you may need to post and put to secure but redirect to http on get.
-
-  config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
-
-The above will allow you to post/put from the secure/non-secure urls keeping the original schema.
-
-To set HSTS expiry and subdomain inclusion (defaults: one year, true). Strict option disables HSTS.
-
-  config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
-  config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
-
-Finally you might want to share a cookie based session between http and https.
-This is not possible by default with Rack::SslEnforcer for security reasons.
-See: [http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking]
-
-Nevertheless, you can set the option :force_secure_cookies to false in order to be able to share a cookie based session between http and https:
-
-  config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
-
-But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
-This can be done using a coder with Rack::Session::Cookie.
-See: [https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42]
-
-
-== TODO
-
-* Add configuration option to specify local http / https ports
-* Cleanup tests
-
-
-== Contributors
-
-* {Dan Mayer}[http://github.com/danmayer]
-* {Rémy Coutable}[http://github.com/rymai]
-* {Thibaud Guillaume-Gentil}[http://github.com/thibaudgg]
-* {Paul Annesley}[https://github.com/pda]
-* {Saimon Moore}[https://github.com/saimonmoore]
-
-
-== Credits
-
-Flagging cookies as secure functionality and HSTS support is greatly inspired by {Joshua Peek's Rack::SSL}[https://github.com/josh/rack-ssl]
-
-
-== Note on Patches/Pull Requests
-
-* Fork the project.
-* Make your feature addition or bug fix.
-* Add tests for it. This is important so I don't break it in a
-  future version unintentionally.
-* Commit, do not mess with rakefile, version, or history.
-  (if you want to have your own version,
-  that is fine but bump version in a commit by itself I can ignore when I pull)
-* Send me a pull request. Bonus points for topic branches.
-
-
-== Copyright
-
-Copyright (c) 2010 Tobias Matthies. See LICENSE for details.