Fix #3522: Enable HSTS.

config/danbooru_default_config.rb

@@ -198,6 +198,26 @@ module Danbooru
       1.week.ago
     end
 
+    # Permanently redirect all HTTP requests to HTTPS.
+    #
+    # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    # http://api.rubyonrails.org/classes/ActionDispatch/SSL.html
+    def ssl_options
+      {
+        redirect: { exclude: ->(request) { request.subdomain == "insecure" } },
+        hsts: {
+          expires: 1.year,
+          preload: true,
+          subdomains: false,
+        },
+      }
+    end
+
+    # Disable the forced use of HTTPS.
+    # def ssl_options
+    #   false
+    # end
+
     # The name of the server the app is hosted on.
     def server_host
       Socket.gethostname