TechQA.

How can I turn off includeSubDomains for HSTS in rails?

1.5k views Asked by At

I don't want the includeSubDomains option

➔ curl -s --head https://example.com/ |grep Strict 
Strict-Transport-Security: max-age=15552000; includeSubDomains

This doesn't seem to be working:

config.force_ssl = true
config.ssl_options = { hsts: { subdomains: false } }

What am I doing wrong?

Rails 5.0.1

ruby-on-rails ssl https hsts
Original Q&A
2

There are 2 answers

0
John Bachir On BEST ANSWER

The problem turned out to be that Rails 5 has an initializer, new_framework_defaults.rb, which has this line:

Rails.application.config.ssl_options = { hsts: { subdomains: true } }

Because it's in an initializer, no matter what you put in the environment config, those settings don't have an effect. I opened an issue about this here: https://github.com/rails/rails/issues/27638

0
chris raethke On

I'd highly recommend using the secureheaders gem so you get better control over these headers (and other similar ones).

Related Questions in RUBY-ON-RAILS

Related Questions in SSL

Related Questions in HTTPS

Related Questions in HSTS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions