spinels-rack-ssl-enforcer 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3733938868eed1e628160489ff7e1e037bf2258bbbccc4c711f976b9a7292b78
+  data.tar.gz: 9dcace39e52062c55a6ad68490dd750382e0d9400a22e6f315d4dadf1918e961
+SHA512:
+  metadata.gz: e38fa0bd54a6693492983439f9bfe6f709093b2529bfe233469bc787ad82d83f948960e1868613b5f8c53c8aec948712404eade6428cfdfadcc30917df17bb55
+  data.tar.gz: d4812f9e02c859da5f3f4545e0a6a03d41376bd723ec7e850dc8212d984ae17d0d5a42442842578cc323564569cdfbe55ae8c3aeffb8d15c62e634d1395a0473

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009-2012 Tobias Matthies
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,340 @@
+**`spinels/rack-ssl-enforcer`** is a fork of [`tobmatth/rack-ssl-enforcer`][tobmatth/rack-ssl-enforcer] with the following patches applied:
+
+- https://github.com/tobmatth/rack-ssl-enforcer/pull/105
+
+It has been republished to RubyGems under the name [`spinels-rack-ssl-enforcer`](https://rubygems.org/gems/spinels-rack-ssl-enforcer).
+
+[tobmatth/rack-ssl-enforcer]: https://github.com/tobmatth/rack-ssl-enforcer
+
+---
+
+# Rack::SslEnforcer [![CI](https://github.com/spinels/rack-ssl-enforcer/actions/workflows/ci.yml/badge.svg)](https://github.com/spinels/rack-ssl-enforcer/actions/workflows/ci.yml)
+
+Rack::SslEnforcer is a simple Rack middleware to enforce TLS/SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
+Cookies as secure by default (HSTS must be set manually).
+
+## Installation
+
+The simplest way to install Rack::SslEnforcer is to use [Bundler](https://bundler.io/).
+
+Add Rack::SslEnforcer to your `Gemfile`:
+
+```ruby
+ gem 'spinels-rack-ssl-enforcer'
+```
+
+### Installing on Sinatra / Padrino application
+
+In order for Rack::SslEnforcer to properly work it has to be at the top
+of the Rack Middleware.
+
+Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer
+and will prevent Rack::Ssl::Enforcer from marking cookies as secure.
+
+To fix this issue do not use `enable :sessions` instead add the
+Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.
+
+Eg:
+
+```ruby
+use Rack::SslEnforcer
+set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
+
+#Enable sinatra sessions
+use Rack::Session::Cookie, :key => '_rack_session',
+                           :path => '/',
+                           :expire_after => 2592000, # In seconds
+                           :secret => settings.session_secret
+```
+
+## Basic Usage
+
+If you don't use Bundler, be sure to require Rack::SslEnforcer manually before actually using the middleware:
+
+```ruby
+ require 'rack/ssl-enforcer'
+ use Rack::SslEnforcer
+```
+
+To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (`config/application.rb` for Rails 3 and above, `config/environment.rb` for Rails 2):
+
+```ruby
+config.middleware.insert_before  ActionDispatch::Cookies, Rack::SslEnforcer
+```
+Cookies should be set before the SslEnforcer processes the headers,
+but due to the middleware calls chain Rack::SslEnforcer should be inserted before the ActionDispatch::Cookies.
+
+If all you want is SSL for your whole application, you are done! Otherwise, you can specify some options described below.
+
+## Options
+
+### Host constraints
+
+You can enforce SSL connections only for certain hosts with `:only_hosts`, or prevent certain hosts from being forced to SSL with `:except_hosts`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
+# Please note that, for instance, both http://help.example.com/demo and https://help.example.com/demo would be accessible here
+
+config.middleware.use Rack::SslEnforcer, :except_hosts => /(help|blog)\.example\.com$/
+
+config.middleware.use Rack::SslEnforcer, :only_hosts => [/(help|blog)\.example\.org$/, 'api.example.com']
+```
+
+### Path constraints
+
+You can enforce SSL connections only for certain paths with `:only`, prevent certain paths from being forced to SSL with `:except`, or - if you don't care how certain paths are accessed - ignore them with `:ignore`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login'
+# Please note that, for instance, both http://example.com/demo and https://example.com/demo would be accessible here
+
+config.middleware.use Rack::SslEnforcer, :only => %r{^/admin/}
+
+config.middleware.use Rack::SslEnforcer, :except => ['/demo', %r{^/public/}]
+
+config.middleware.use Rack::SslEnforcer, :ignore => '/assets'
+
+# You can also combine multiple constraints
+config.middleware.use Rack::SslEnforcer, :only => '/cart', :ignore => %r{/assets}, :strict => true
+
+# And ignore based on blocks
+config.middleware.use Rack::SslEnforcer, :ignore => lambda { |request| request.env["HTTP_X_IGNORE_SSL_ENFORCEMENT"] == "magic" }
+```
+
+### Method constraints
+
+You can enforce SSL connections only for certain HTTP methods with `:only_methods`, or prevent certain HTTP methods from being forced to SSL with `:except_methods`. Constraints can be a `String` or an array of `String`, as shown in the following examples:
+
+```ruby
+# constraint as a String
+config.middleware.use Rack::SslEnforcer, :only_methods => 'POST'
+# Please note that, for instance, GET requests would be accessible via SSL and non-SSL connection here
+
+config.middleware.use Rack::SslEnforcer, :except_methods => ['GET', 'HEAD']
+```
+
+Note: The `:hosts` constraint takes precedence over the `:path` constraint. Please see the tests for examples.
+
+
+### Environment constraints
+
+You can enforce SSL connections only for certain environments with `:only_environments` or prevent certain environments from being forced to SSL with `:except_environments`.
+Environment constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_environments => 'development'
+
+config.middleware.use Rack::SslEnforcer, :except_environments => /^[0-9a-f]+_local$/i
+
+config.middleware.use Rack::SslEnforcer, :only_environments => ['production', /^QA/]
+```
+
+Note: The `:environments` constraint requires one the following environment variables to be set: `RACK_ENV`, `RAILS_ENV`, `ENV`.
+
+### User agent constraints
+
+You can enforce SSL connections only for certain user agents with `:only_agents` or prevent certain user agents from being forced to SSL with `:except_agents`.
+User agent constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_agents => 'Googlebot'
+
+config.middleware.use Rack::SslEnforcer, :except_agents => /Googlebot|bingbot/
+
+config.middleware.use Rack::SslEnforcer, :only_agents => ['test-secu-bot', /custom-crawler[0-9a-f]/]
+```
+
+### Force-redirection to non-SSL connection if constraint is not matched
+
+Use the `:strict` option to force non-SSL connection for all requests not matching the constraints you set. Examples:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
+# https://example.com/demo would be redirected to http://example.com/demo
+
+config.middleware.use Rack::SslEnforcer, :except_hosts => 'demo.example.com', :strict => true
+# https://demo.example.com would be redirected to http://demo.example.com
+```
+
+### Automatic method constraints
+
+In the case where you have matching URLs with different HTTP methods – for instance Rails RESTful routes: `GET /users`, `POST /users`, `GET /user/:id` and `PUT /user/:id` – you may need to force POST and PUT requests to SSL connection but redirect to non-SSL connection on GET.
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
+```
+
+The above will allow you to POST/PUT from the secure/non-secure URLs keeping the original schema.
+
+### HTTP Strict Transport Security (HSTS)
+
+To set HSTS expiry and subdomain inclusion (defaults respectively to `one year` and `true`).
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false, :preload => false }
+config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true, :preload => false }
+```
+Please note that the strict option disables HSTS.
+
+### Redirect to specific URL (e.g. if you're using a proxy)
+
+You might need the `:redirect_to` option if the requested URL can't be determined.
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
+```
+
+### Redirect with specific HTTP status code
+
+By default it redirects with HTTP status code 301(Moved Permanently). Sometimes you might need to redirect with different HTTP status code:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_code => 302
+```
+
+### Custom HTTP port
+
+If you're using a different port than the default (80) for HTTP, you can specify it with the `:http_port` option:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :http_port => 8080
+```
+
+### Custom HTTPS port
+
+If you're using a different port than the default (443) for HTTPS, you can specify it with the `:https_port` option:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :https_port => 444
+```
+
+### Secure cookies disabling
+
+Finally you might want to share a cookie based session between HTTP and HTTPS.
+This is not possible by default with Rack::SslEnforcer for [security reasons](http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking).
+
+Nevertheless, you can set the `:force_secure_cookies` option to `false` in order to be able to share a cookie based session between HTTP and HTTPS:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
+```
+
+But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
+This can be done using a coder with [Rack::Session::Cookie](https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42).
+
+### Running code before redirect
+
+You may want to run some code before rack-ssl-enforcer forces a redirect.  This code could do something like log that a redirect was done, or if this is used in a Rails app, keeping the flash when redirecting:
+
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login', :before_redirect => Proc.new { |request|
+  #keep flash on redirect
+  request.session[:flash].keep if !request.session.nil? && request.session.key?('flash') && !request.session['flash'].empty?
+}
+```
+
+### Custom or empty response body
+
+The default response body is:
+
+```html
+<html><body>You are being <a href="https://www.example.org/">redirected</a>.</body></html>
+```
+
+To supply a custom message, provide a string as `:redirect_html`:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => 'Redirecting!'
+```
+
+To supply a series of responses for Rack to chunk, provide a [permissable Rack body object](http://rack.rubyforge.org/doc/SPEC.html):
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => ['<html>','<body>','Hello!','</body>','</html>']
+```
+
+To supply an empty response body, provide :redirect_html as false:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => false
+```
+
+## Deployment
+
+If you run your application behind a proxy (e.g. Nginx) you may need to do some configuration on that side. If you don't you may experience an infinite redirect loop.
+
+The reason this happens is that Rack::SslEnforcer can't detect if you are running SSL or not. The solution is to have your front-end server send extra headers for Rack::SslEnforcer to identify the request protocol.
+
+### Nginx
+
+In the `location` block for your app's SSL configuration, include the following proxy header configuration:
+
+`proxy_set_header   X-Forwarded-Proto https;`
+
+### Nginx behind Load Balancer
+
+The following instruction has been tested behind AWS ELB, but can be adapted to work behind any load balancer.
+Specifically, the options below account for termination of SSL at the load balancer (HTTP only communication between load balancer and server), and HTTP only health checks.
+
+In the `location` block for your app's SSL configuration, reference the following proxy header configurations:
+
+```
+proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+proxy_set_header Host $http_host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
+proxy_redirect off;
+```
+
+In `config/application.rb` for Rails 3 and above, `config/environment.rb` for Rails 2, work off the following line:
+
+```ruby
+config.middleware.use Rack::SslEnforcer, ignore: lambda { |request| request.env["HTTP_X_FORWARDED_PROTO"].blank? }, strict: true
+```
+
+This ignores ELB healthchecks and development environment as ELB healthchecks aren't forwarded requests, so it wouldn't have the forwarded proto header.
+
+Same goes for when running without a proxy (like developemnt locally), making `:except_environments => 'development'` unnecessary.
+
+In Sinatra or other non-rails ruby applications, work off the following line:
+```ruby
+use Rack::SslEnforcer, :except_environments => ['development', 'test'], :ignore => '/healthcheck'
+```
+
+### Passenger
+
+Or, if you're using mod_rails/passenger (which will ignore the proxy_xxx directives):
+
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;`
+
+If you're sharing a single `server` block for http AND https access you can add:
+
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;`
+
+This makes sure that Rack::SslEnforcer knows it's being accessed over SSL. Just restart Nginx for these changes to take effect.
+
+## TODO
+
+* Cleanup tests
+
+#### Contributors
+
+- [https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors](https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors)
+- [https://github.com/spinels/rack-ssl-enforcer/graphs/contributors](https://github.com/spinels/rack-ssl-enforcer/graphs/contributors)
+
+## Credits
+
+Flagging cookies as secure functionality and HSTS support is greatly inspired by [Joshua Peek's Rack::SSL](https://rubygems.org/gems/rack-ssl).
+
+## Note on Patches / Pull Requests
+
+* Fork the project.
+* Code your feature addition or bug fix.
+* **Add tests for it.** This is important so we don't break it in a future version unintentionally.
+* Commit, do not mess with Rakefile or version number. If you want to have your own version, that's fine but bump version in a commit by itself so we can ignore it when merging.
+* Send a pull request. Bonus points for topic branches.
+
+## Copyright
+
+Copyright (c) 2010-2013 Tobias Matthies. See [LICENSE](https://github.com/tobmatth/rack-ssl-enforcer/blob/master/LICENSE) for details.

data/lib/rack/ssl-enforcer/constraint.rb

@@ -0,0 +1,44 @@
+class SslEnforcerConstraint
+  def initialize(name, rule, request)
+    @name    = name
+    @rule    = rule
+    @request = request
+  end
+
+  def matches?
+    if @rule.is_a?(String) && [:only, :except].include?(@name)
+      result = tested_string[0, @rule.size].send(operator, @rule)
+    elsif @rule.respond_to?(:call)
+      result = @rule.call(@request)
+    else
+      result = tested_string.send(operator, @rule)
+    end
+
+    negate_result? ? !result : result
+  end
+
+private
+
+  def negate_result?
+    @name.to_s =~ /except/
+  end
+
+  def operator
+    @rule.is_a?(Regexp) ? "=~" : "=="
+  end
+
+  def tested_string
+    case @name.to_s
+    when /hosts/
+      @request.host
+    when /methods/
+      @request.request_method
+    when /environments/
+      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || ENV["ENV"]
+    when /agents/
+      @request.user_agent
+    else
+      @request.path
+    end
+  end
+end

data/lib/rack/ssl-enforcer/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class SslEnforcer
+    VERSION = "0.3.0"
+  end
+end

data/lib/rack/ssl-enforcer.rb

@@ -0,0 +1,207 @@
+require 'rack/ssl-enforcer/constraint'
+
+module Rack
+
+  class SslEnforcer
+
+    CONSTRAINTS_BY_TYPE = {
+      :hosts        => [:only_hosts, :except_hosts],
+      :agents       => [:only_agents, :except_agents],
+      :path         => [:only, :except],
+      :methods      => [:only_methods, :except_methods],
+      :environments => [:only_environments, :except_environments]
+    }
+
+    # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
+    # are encoded and that you understand the consequences (see documentation)
+    def initialize(app, options={})
+      default_options = {
+        :redirect_to          => nil,
+        :redirect_code        => nil,
+        :strict               => false,
+        :mixed                => false,
+        :hsts                 => nil,
+        :http_port            => nil,
+        :https_port           => nil,
+        :force_secure_cookies => true,
+        :redirect_html        => nil,
+        :before_redirect      => nil
+      }
+      CONSTRAINTS_BY_TYPE.values.each do |constraints|
+        constraints.each { |constraint| default_options[constraint] = nil }
+      end
+
+      @app, @options = app, default_options.merge(options)
+    end
+
+    def call(env)
+      req = Rack::Request.new(env)
+
+      return @app.call(env) if ignore?(req)
+
+      scheme = if enforce_ssl?(req)
+        'https'
+      elsif enforce_non_ssl?(req)
+        'http'
+      end
+
+      if redirect_required?(req, scheme)
+        call_before_redirect(req)
+        modify_location_and_redirect(req, scheme)
+      elsif ssl_request?(req)
+        status, headers, body = @app.call(env)
+        flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
+        set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
+        [status, headers, body]
+      else
+        @app.call(env)
+      end
+    end
+
+  private
+
+    def redirect_required?(req, scheme)
+      scheme_mismatch?(req, scheme) || host_mismatch?(req)
+    end
+
+    def ignore?(req)
+      if @options[:ignore]
+        rules = [@options[:ignore]].flatten.compact
+        rules.any? do |rule|
+          SslEnforcerConstraint.new(:ignore, rule, req).matches?
+        end
+      else
+        false
+      end
+    end
+
+    def scheme_mismatch?(req, scheme)
+      scheme && scheme != current_scheme(req)
+    end
+
+    def host_mismatch?(req)
+      destination_host && destination_host != req.host
+    end
+
+    def call_before_redirect(req)
+       @options[:before_redirect].call(req) unless @options[:before_redirect].nil?
+    end
+
+    def modify_location_and_redirect(req, scheme)
+      location = "#{current_scheme(req)}://#{req.host}#{req.fullpath}"
+      location = replace_scheme(location, req, scheme)
+      location = replace_host(location, req, @options[:redirect_to])
+      redirect_to(location)
+    rescue URI::InvalidURIError
+      [400, { 'Content-Type' => 'text/plain'}, []]
+    end
+
+    def redirect_to(location)
+      body = []
+      body << "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>" if @options[:redirect_html].nil?
+      body << @options[:redirect_html] if @options[:redirect_html].is_a?(String)
+      body = @options[:redirect_html] if @options[:redirect_html].respond_to?('each')
+
+      [@options[:redirect_code] || 301, { 'Content-Type' => 'text/html', 'Location' => location }, body]
+    end
+
+    def ssl_request?(req)
+      current_scheme(req) == 'https'
+    end
+
+    def destination_host
+      if @options[:redirect_to]
+        host_parts = URI.split(@options[:redirect_to])
+        host_parts[2] || host_parts[5]
+      end
+    end
+
+    # Fixed in rack >= 1.3
+    def current_scheme(req)
+      if req.env['HTTPS'] == 'on' || req.env['HTTP_X_SSL_REQUEST'] == 'on'
+        'https'
+      elsif req.env['HTTP_X_FORWARDED_PROTO']
+        req.env['HTTP_X_FORWARDED_PROTO'].split(',')[0] || req.scheme
+      else
+        req.scheme
+      end
+    end
+
+    def enforce_ssl_for?(keys, req)
+      provided_keys = keys.select { |key| @options[key] }
+      if provided_keys.empty?
+        true
+      else
+        provided_keys.all? do |key|
+          rules = [@options[key]].flatten.compact
+          rules.send([:except_hosts, :except_agents, :except_environments, :except].include?(key) ? :all? : :any?) do |rule|
+            SslEnforcerConstraint.new(key, rule, req).matches?
+          end
+        end
+      end
+    end
+
+    def enforce_non_ssl?(req)
+      @options[:strict] || @options[:mixed] && !(req.request_method == 'PUT' || req.request_method == 'POST')
+    end
+
+    def enforce_ssl?(req)
+      CONSTRAINTS_BY_TYPE.inject(true) do |memo, (type, keys)|
+        memo && enforce_ssl_for?(keys, req)
+      end
+    end
+
+    def replace_scheme(uri, req, scheme)
+      return uri if not scheme_mismatch?(req, scheme)
+
+      port = adjust_port_to(scheme)
+      uri_parts = URI.split(uri)
+      uri_parts[3] = port unless port.nil?
+      uri_parts[0] = scheme
+      URI::HTTP.new(*uri_parts).to_s
+    end
+
+    def replace_host(uri, req, host)
+      return uri unless host_mismatch?(req)
+
+      host_parts = URI.split(host)
+      new_host = host_parts[2] || host_parts[5]
+      uri_parts = URI.split(uri)
+      uri_parts[2] = new_host
+      URI::HTTPS.new(*uri_parts).to_s
+    end
+
+    def adjust_port_to(scheme)
+      if scheme == 'https'
+        @options[:https_port] if @options[:https_port] && @options[:https_port] != URI::HTTPS.default_port
+      elsif scheme == 'http'
+        @options[:http_port] if @options[:http_port] && @options[:http_port] != URI::HTTP.default_port
+      end
+    end
+
+    # see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking
+    def flag_cookies_as_secure!(headers)
+      if cookies = headers['Set-Cookie']
+        # Support Rails 2.3 / Rack 1.1 arrays as headers
+        unless cookies.is_a?(Array)
+          cookies = cookies.split("\n")
+        end
+
+        headers['Set-Cookie'] = cookies.map do |cookie|
+          cookie !~ /(^|;\s)secure($|;)/ ? "#{cookie}; secure" : cookie
+        end.join("\n")
+      end
+    end
+
+    # see http://en.wikipedia.org/wiki/Strict_Transport_Security
+    def set_hsts_headers!(headers)
+      opts = { :expires => 31536000, :subdomains => true, :preload => false }
+      opts.merge!(@options[:hsts]) if @options[:hsts].is_a? Hash
+      value  = "max-age=#{opts[:expires]}"
+      value += "; includeSubDomains" if opts[:subdomains]
+      value += "; preload" if opts[:preload]
+      headers.merge!({ 'Strict-Transport-Security' => value })
+    end
+
+  end
+end

data/lib/rack-ssl-enforcer.rb

@@ -0,0 +1 @@
+require 'rack/ssl-enforcer'

data/lib/spinels-rack-ssl-enforcer.rb

@@ -0,0 +1 @@
+require 'rack/ssl-enforcer'

metadata

@@ -0,0 +1,53 @@
+--- !ruby/object:Gem::Specification
+name: spinels-rack-ssl-enforcer
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+platform: ruby
+authors:
+- Tobias Matthies
+- Thibaud Guillaume-Gentil
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-01-09 00:00:00.000000000 Z
+dependencies: []
+description: Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections
+email:
+- github@tobiasmatthies.de
+- thibaud@thibaud.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/rack-ssl-enforcer.rb
+- lib/rack/ssl-enforcer.rb
+- lib/rack/ssl-enforcer/constraint.rb
+- lib/rack/ssl-enforcer/version.rb
+- lib/spinels-rack-ssl-enforcer.rb
+homepage: http://github.com/spinels/rack-ssl-enforcer
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.9.3
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.3.6
+requirements: []
+rubygems_version: 3.2.33
+signing_key:
+specification_version: 4
+summary: A simple Rack middleware to enforce SSL
+test_files: []