How can I turn off includeSubDomains for HSTS in rails?

1.5k views Asked by At

I don't want the includeSubDomains option

➔ curl -s --head https://example.com/ |grep Strict 
Strict-Transport-Security: max-age=15552000; includeSubDomains

This doesn't seem to be working:

config.force_ssl = true
config.ssl_options = { hsts: { subdomains: false } }

What am I doing wrong?

Rails 5.0.1

2

There are 2 answers

0
John Bachir On BEST ANSWER

The problem turned out to be that Rails 5 has an initializer, new_framework_defaults.rb, which has this line:

Rails.application.config.ssl_options = { hsts: { subdomains: true } }

Because it's in an initializer, no matter what you put in the environment config, those settings don't have an effect. I opened an issue about this here: https://github.com/rails/rails/issues/27638

0
chris raethke On

I'd highly recommend using the secureheaders gem so you get better control over these headers (and other similar ones).