class SecureHeaders::Middleware

Public Class Methods

new(app) click to toggle source
# File lib/secure_headers/middleware.rb, line 4
def initialize(app)
  @app = app
end

Public Instance Methods

call(env) click to toggle source

merges the hash of headers into the current header set.

# File lib/secure_headers/middleware.rb, line 9
def call(env)
  req = Rack::Request.new(env)
  status, headers, response = @app.call(env)

  config = SecureHeaders.config_for(req)
  flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
  headers.merge!(SecureHeaders.header_hash_for(req))
  [status, headers, response]
end

Private Instance Methods

flag_cookies!(headers, config) click to toggle source

inspired by github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194

# File lib/secure_headers/middleware.rb, line 22
def flag_cookies!(headers, config)
  if cookies = headers["Set-Cookie"]
    # Support Rails 2.3 / Rack 1.1 arrays as headers
    cookies = cookies.split("\n") unless cookies.is_a?(Array)

    headers["Set-Cookie"] = cookies.map do |cookie|
      SecureHeaders::Cookie.new(cookie, config).to_s
    end.join("\n")
  end
end
override_secure(env, config = {}) click to toggle source

disable Secure cookies for non-https requests

# File lib/secure_headers/middleware.rb, line 34
def override_secure(env, config = {})
  if scheme(env) != "https" && config != OPT_OUT
    config[:secure] = OPT_OUT
  end

  config
end
scheme(env) click to toggle source

derived from github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119

# File lib/secure_headers/middleware.rb, line 43
def scheme(env)
  if env["HTTPS"] == "on" || env["HTTP_X_SSL_REQUEST"] == "on"
    "https"
  elsif env["HTTP_X_FORWARDED_PROTO"]
    env["HTTP_X_FORWARDED_PROTO"].split(",")[0]
  else
    env["rack.url_scheme"]
  end
end