From 6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b Mon Sep 17 00:00:00 2001
From: Egor Homakov <homakov@gmail.com>
Date: Fri, 18 Dec 2015 16:19:49 +0300
Subject: [PATCH] HSTS without IncludeSubdomains is often useless

1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.

That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.

Yes, many developers forget to add subdomains=true by default, believe me :)
---
 actionpack/lib/action_dispatch/middleware/ssl.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 735b5939dd..823cefe957 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -40,7 +40,7 @@ class SSL
     HSTS_EXPIRES_IN = 15552000
 
     def self.default_hsts_options
-      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
+      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
     end
 
     def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
-- 
GitLab