Trying to reconcile the following: ActionDispatch::SSL adds Strict-Transport-Security headers to all responses, including non-secure redirect-to-https responses...
however, the STS spec explicitly says: "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport." http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-7.2 I'm not an expert on HSTS, but it sounds like ActionDispatch::SSL is violating the spec when it adds STS to redirect responses. Is this for a reason? I have no evidence or reason to believe that this is causing any bugs or security issues. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
