在Rails 5中,我们可以执行以下操作:
config.ssl_options = { hsts: { expires: 10.days } }
我发现有一篇旧文章说我可以用
来执行它 before_filter :strict_transport_security
def strict_transport_security
if request.ssl?
response.headers['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains"
end
end
此文件中有一个HSTS方法,这是否意味着在Rails 4.2中默认情况下它处于打开状态? https://github.com/rails/rails/blob/4-2-stable/actionpack/lib/action_dispatch/middleware/ssl.rb
答案 0 :(得分:1)
Rails 5添加了更多可以在ssl_options中指定的选项,但是rails 4已经具有基本的选项,包括hsts: { expires: 10.days, subdomains: false },如代码中所示。
config.force_ssl = true
config.ssl_options = { hsts: { expires: 10.days, subdomains: false } }