Module: Roda::RodaPlugins::Hsts

Defined in:: lib/roda/plugins/hsts.rb

Overview

The hsts plugin allows for easily configuring an appropriate Strict-Transport-Security response header for the application:

plugin :hsts
# Strict-Transport-Security: max-age=63072000; includeSubDomains

plugin :hsts, preload: true
# Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

plugin :hsts, max_age: 31536000, subdomains: false
# Strict-Transport-Security: max-age=31536000

Class Method Summary collapse

.configure(app, opts = OPTS) ⇒ Object

Configure the Strict-Transport-Security header.
.load_dependencies(app, opts = OPTS) ⇒ Object

Ensure default_headers plugin is loaded first.

Class Method Details

.configure(app, opts = OPTS) ⇒ `Object`

Configure the Strict-Transport-Security header. Options:

:max_age: Set max-age in seconds (default is 63072000, two years)
:preload: Set preload, so the domain can be included in HSTS preload lists
:subdomains: Set to false to not set includeSubDomains. By default, includeSubDomains is set to enforce HTTPS for subdomains.



28
29
30

# File 'lib/roda/plugins/hsts.rb', line 28

def self.configure(app, opts=OPTS)
  app.plugin :default_headers, RodaResponseHeaders::STRICT_TRANSPORT_SECURITY => "max-age=#{opts[:max_age]||63072000}#{'; includeSubDomains' unless opts[:subdomains] == false}#{'; preload' if opts[:preload]}".freeze
end

.load_dependencies(app, opts = OPTS) ⇒ `Object`

Ensure default_headers plugin is loaded first



19
20
21

# File 'lib/roda/plugins/hsts.rb', line 19

def self.load_dependencies(app, opts=OPTS)
  app.plugin :default_headers
end