HSTS without IncludeSubdomains is often useless

1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)

HSTS without IncludeSubdomains is often useless
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)
6eb3a1b0 · Egor Homakov · Prathamesh Sonpatki · 50e4433b · 6eb3a1b0
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

actionpack/lib/action_dispatch/middleware/ssl.rb actionpack/lib/action_dispatch/middleware/ssl.rb +1 -1

未找到文件。
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -40,7 +40,7 @@ class SSL
    HSTS_EXPIRES_IN = 15552000

    def self.default_hsts_options
-      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
+      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
    end

    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)