I don't want the includeSubDomains
option
➔ curl -s --head https://example.com/ |grep Strict
Strict-Transport-Security: max-age=15552000; includeSubDomains
This doesn't seem to be working:
config.force_ssl = true
config.ssl_options = { hsts: { subdomains: false } }
What am I doing wrong?
Rails 5.0.1
The problem turned out to be that Rails 5 has an initializer, new_framework_defaults.rb, which has this line:
Because it's in an initializer, no matter what you put in the environment config, those settings don't have an effect. I opened an issue about this here: https://github.com/rails/rails/issues/27638