HSTS header adjusting

[Julian Gilbey]

I've been trying to set up HSTS headers on my pod, following the advice on https://hstspreload.org/ for setting up and testing HSTS preloading.  But after lots of exploration, I discovered that the environment.require_ssl = true setting makes Rack::SSL produce its own HSTS headers.  Rack::SSL also does the very useful job of ensuring that all cookies are marked as Secure.  But I want a slightly different HSTS header (I want to include includeSubDomains, for example).  I've used Apache's "Header always set ..." to create my own customised version, but bizarrely I end up with two different Strict-Transport-Security headers - it seems that Apache's Header option acts before the Rack::SSL middleware does its work??

So I considered setting environment.require_ssl = false, but then I lose the cookie security.

My current solution is to edit config/initializers/enforce_ssl.rb to add ", hsts: false" at the end of the Rack::SSL line.  It would be nice to have an additional option in the enviornment settings to do this.  (Rack::SSL does not offer the "preload" option, so in its current status, it cannot be used to produce the header I ultimately want.)

So something like

environment:
   require_ssl: true
   hsts_options: false

or

environment:
   require_ssl: true
   hsts_options:
      expires: 1000000
      subdomains: true

which would pass these options through to Rack::SSL if hsts_options is set.

Obviously this is an advanced option!!

Thoughts?

[Julian Gilbey]

I've just posted this as an issue on github, so ignore this message here and please post any followups on github.