edge badge

This middleware is added to the stack when `config.force_ssl = true`. It does three jobs to enforce secure HTTP requests:

1. TLS redirect. http:// requests are permanently redirected to https://
   with the same URL host, path, etc. Pass `:host` and/or `:port` to
   modify the destination URL. This is always enabled.

2. Secure cookies. Sets the `secure` flag on cookies to tell browsers they
   mustn't be sent along with http:// requests. This is always enabled.

3. HTTP Strict Transport Security (HSTS). Tells the browser to remember
   this site as TLS-only and automatically redirect non-TLS requests.
   Enabled by default. Pass `hsts: false` to disable.

Configure HSTS with `hsts: { … }`:

* `expires`: How long, in seconds, these settings will stick. Defaults to
  `180.days` (recommended). The minimum required to qualify for browser
  preload lists is `18.weeks`.
* `subdomains`: Set to `true` to tell the browser to apply these settings
  to all subdomains. This protects your cookies from interception by a
  vulnerable site on a subdomain. Defaults to `false`.
* `preload`: Advertise that this site may be included in browsers'
  preloaded HSTS lists. HSTS protects your site on every visit *except the
  first visit* since it hasn't seen your HSTS header yet. To close this
  gap, browser vendors include a baked-in list of HSTS-enabled sites.
  Go to https://hstspreload.appspot.com to submit your site for inclusion.

Disabling HSTS: To turn off HSTS, omitting the header is not enough. Browsers will remember the original HSTS directive until it expires. Instead, use the header to tell browsers to expire HSTS immediately. Setting `hsts: false` is a shortcut for `hsts: { expires: 0 }`.

HSTS_EXPIRES_IN = 15552000

Default to 180 days, the low end for www.ssllabs.com/ssltest/ and greater than the 18-week requirement for browser preload lists.

Class Public methods
# File actionpack/lib/action_dispatch/middleware/ssl.rb, line 38
def self.default_hsts_options
  { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
new(app, redirect: {}, hsts: {}, **options)
# File actionpack/lib/action_dispatch/middleware/ssl.rb, line 42
    def initialize(app, redirect: {}, hsts: {}, **options)
      @app = app

      if options[:host] || options[:port]
        ActiveSupport::Deprecation.warn "          The `:host` and `:port` options are moving within `:redirect`:
          `config.ssl_options = { redirect: { host: …, port: … }}`.
        @redirect = options.slice(:host, :port)
        @redirect = redirect

      @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
Instance Public methods
# File actionpack/lib/action_dispatch/middleware/ssl.rb, line 58
def call(env)
  request = Request.new env

  if request.ssl?
    @app.call(env).tap do |status, headers, body|
      set_hsts_header! headers
      flag_cookies_as_secure! headers
    redirect_to_https request