Make HSTS enable optional with force_ssl (#2364)

author: Matt Jankowski <mjankowski@thoughtbot.com> 2017-04-23 13:08:32 -0400
committer: Eugen <eugen@zeonfederated.com> 2017-04-23 19:08:32 +0200
commit: 57cd6546c3864f7cd5bac244d88f1923a53e2c1a (patch)
tree: 937b85ce17d1a33463e7fb4cc48c074dc918dc4e /config/environments
parent: 1244630ab40c582c0ffa8ce0aadf93ae04209253 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/config/environments/production.rb b/config/environments/production.rb
index cf4b3e7f932..80933eda968 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -35,8 +35,13 @@ Rails.application.configure do
   # Allow to specify public IP of reverse proxy if it's needed
   config.action_dispatch.trusted_proxies = [IPAddr.new(ENV['TRUSTED_PROXY_IP'])] unless ENV['TRUSTED_PROXY_IP'].blank?
 
-  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  config.force_ssl = false
+  # When LOCAL_HTTPS is set, force traffic over SSL
+  config.force_ssl = (ENV['LOCAL_HTTPS'] == 'true')
+
+  # When ENABLE_HSTS is also set, turn on Strict-Transport-Security
+  config.ssl_options = {
+    hsts: (ENV['ENABLE_HSTS'] == 'true')
+  }
 
   # By default, use the lowest log level to ensure availability of diagnostic information
   # when problems arise.
@@ -108,8 +113,6 @@ Rails.application.configure do
 
   config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym
 
-  config.force_ssl = (ENV['LOCAL_HTTPS'] == 'true')
-
   config.react.variant = :production
 
   config.to_prepare do
author	Matt Jankowski <mjankowski@thoughtbot.com>	2017-04-23 13:08:32 -0400
committer	Eugen <eugen@zeonfederated.com>	2017-04-23 19:08:32 +0200
commit	57cd6546c3864f7cd5bac244d88f1923a53e2c1a (patch)
tree	937b85ce17d1a33463e7fb4cc48c074dc918dc4e /config/environments
parent	1244630ab40c582c0ffa8ce0aadf93ae04209253 (diff)