class SecureHeaders::Middleware
Constants
- HPKP_SAME_HOST_WARNING
Public Class Methods
new(app)
click to toggle source
# File lib/secure_headers/middleware.rb, line 5 def initialize(app) @app = app end
Public Instance Methods
call(env)
click to toggle source
merges the hash of headers into the current header set.
# File lib/secure_headers/middleware.rb, line 10 def call(env) req = Rack::Request.new(env) status, headers, response = @app.call(env) config = SecureHeaders.config_for(req) if config.hpkp_report_host == req.host Kernel.warn(HPKP_SAME_HOST_WARNING) end flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies headers.merge!(SecureHeaders.header_hash_for(req)) [status, headers, response] end
Private Instance Methods
override_secure(env, config = {})
click to toggle source
disable Secure cookies for non-https requests
# File lib/secure_headers/middleware.rb, line 39 def override_secure(env, config = {}) if scheme(env) != 'https' config.merge!(secure: false) end config end
scheme(env)
click to toggle source
derived from github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119
# File lib/secure_headers/middleware.rb, line 48 def scheme(env) if env['HTTPS'] == 'on' || env['HTTP_X_SSL_REQUEST'] == 'on' 'https' elsif env['HTTP_X_FORWARDED_PROTO'] env['HTTP_X_FORWARDED_PROTO'].split(',')[0] else env['rack.url_scheme'] end end