Class: Rack::Protection::StrictTransport

Inherits:
Base
  • Object
show all
Defined in:
lib/rack/protection/strict_transport.rb

Overview

Prevented attack

Protects against against protocol downgrade attacks and cookie hijacking.

Supported browsers

all

More infos

en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

Options:

max_age

How long future requests to the domain should go over HTTPS; specified in seconds

include_subdomains

If all present and future subdomains will be HTTPS

preload

Allow this domain to be included in browsers HSTS preload list. See hstspreload.appspot.com/

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary collapse

Methods inherited from Base

#accepts?, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#call(env) ⇒ Object



34
35
36
37
38
# File 'lib/rack/protection/strict_transport.rb', line 34

def call(env)
  status, headers, body = @app.call(env)
  headers['strict-transport-security'] ||= strict_transport
  [status, headers, body]
end

#strict_transportObject



25
26
27
28
29
30
31
32
# File 'lib/rack/protection/strict_transport.rb', line 25

def strict_transport
  @strict_transport ||= begin
    strict_transport = "max-age=#{options[:max_age]}"
    strict_transport += '; includeSubDomains' if options[:include_subdomains]
    strict_transport += '; preload' if options[:preload]
    strict_transport.to_str
  end
end