Enable HTTP Strict-Transport-Security

Thibaut · Thibaut · commit 817dac1c48c7 · 2018-11-25T13:17:33.000-05:00
diff --git a/lib/app.rb b/lib/app.rb
@@ -12,7 +12,7 @@ class App < Sinatra::Application
   Rack::Mime::MIME_TYPES['.webapp'] = 'application/x-web-app-manifest+json'
 
   configure do
-    use Rack::SslEnforcer, only_environments: ['production', 'test'], hsts: false, force_secure_cookies: false
+    use Rack::SslEnforcer, only_environments: ['production', 'test'], hsts: true, force_secure_cookies: false
 
     set :sentry_dsn, ENV['SENTRY_DSN']
     set :protection, except: [:frame_options, :xss_header]
diff --git a/test/app_test.rb b/test/app_test.rb
@@ -21,6 +21,11 @@ def app
     assert_equal 'https://example.com/test?q=1', last_response['Location']
   end
 
+  it 'returns HSTS header' do
+    get 'https://example.com/test'
+    assert_equal 'max-age=31536000; includeSubDomains', last_response['Strict-Transport-Security']
+  end
+
   describe "/" do
     it "works" do
       get '/'
