I've been trying to set up HSTS headers on my pod, following the advice on
https://hstspreload.org/ for setting up and testing HSTS preloading. But after lots of exploration, I discovered that the environment.require_ssl = true setting makes Rack::SSL produce its own HSTS headers. Rack::SSL also does the very useful job of ensuring that all cookies are marked as Secure. But I want a slightly different HSTS header (I want to include includeSubDomains, for example). I've used Apache's "Header always set ..." to create my own customised version, but bizarrely I end up with two different Strict-Transport-Security headers - it seems that Apache's Header option acts before the Rack::SSL middleware does its work??
So I considered setting environment.require_ssl = false, but then I lose the cookie security.
My current solution is to edit config/initializers/enforce_ssl.rb to add ", hsts: false" at the end of the Rack::SSL line. It would be nice to have an additional option in the enviornment settings to do this. (Rack::SSL does not offer the "preload" option, so in its current status, it cannot be used to produce the header I ultimately want.)
So something like
environment:
require_ssl: true
hsts_options: false
or
environment:
require_ssl: true
hsts_options:
expires: 1000000
subdomains: true
which would pass these options through to Rack::SSL if hsts_options is set.
Obviously this is an advanced option!!
Thoughts?