From 9df261e46a26adc02df1017d6d030db05d1b0e24 Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Sun, 23 Apr 2017 13:08:32 -0400 Subject: [PATCH] Make HSTS enable optional with force_ssl (#2364) --- config/environments/production.rb | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/config/environments/production.rb b/config/environments/production.rb index cf4b3e7f93..80933eda96 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -35,8 +35,13 @@ Rails.application.configure do # Allow to specify public IP of reverse proxy if it's needed config.action_dispatch.trusted_proxies = [IPAddr.new(ENV['TRUSTED_PROXY_IP'])] unless ENV['TRUSTED_PROXY_IP'].blank? - # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. - config.force_ssl = false + # When LOCAL_HTTPS is set, force traffic over SSL + config.force_ssl = (ENV['LOCAL_HTTPS'] == 'true') + + # When ENABLE_HSTS is also set, turn on Strict-Transport-Security + config.ssl_options = { + hsts: (ENV['ENABLE_HSTS'] == 'true') + } # By default, use the lowest log level to ensure availability of diagnostic information # when problems arise. @@ -108,8 +113,6 @@ Rails.application.configure do config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym - config.force_ssl = (ENV['LOCAL_HTTPS'] == 'true') - config.react.variant = :production config.to_prepare do