Fix #3522: Enable HSTS.

config/application.rb

@@ -26,6 +26,17 @@ module Danbooru
     config.action_mailer.perform_deliveries = true
     config.log_tags = [lambda {|req| "PID:#{Process.pid}"}]
     config.action_controller.action_on_unpermitted_parameters = :raise
+    config.force_ssl = true
+
+    if Rails.env.production? && Danbooru.config.ssl_options.present?
+      config.ssl_options = Danbooru.config.ssl_options
+    else
+      config.ssl_options = {
+        hsts: false,
+        secure_cookies: false,
+        redirect: { exclude: ->(request) { true } }
+      }
+    end
 
     if File.exists?("#{config.root}/REVISION")
       config.x.git_hash = File.read("#{config.root}/REVISION").strip

config/danbooru_default_config.rb

@@ -198,6 +198,26 @@ module Danbooru
       1.week.ago
     end
 
+    # Permanently redirect all HTTP requests to HTTPS.
+    #
+    # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    # http://api.rubyonrails.org/classes/ActionDispatch/SSL.html
+    def ssl_options
+      {
+        redirect: { exclude: ->(request) { request.subdomain == "insecure" } },
+        hsts: {
+          expires: 1.year,
+          preload: true,
+          subdomains: false,
+        },
+      }
+    end
+
+    # Disable the forced use of HTTPS.
+    # def ssl_options
+    #   false
+    # end
+
     # The name of the server the app is hosted on.
     def server_host
       Socket.gethostname