From d00308c43de329ca131814a321f8faeb2165fb3c Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Tue, 7 Jan 2020 11:49:46 -0600
Subject: [PATCH] Delegate HSTS to nginx.

Remove the ssl_options config option. Let nginx handle HSTS and
http->https redirects instead. At the rails level, all we need to do is
set the secure cookie flag when https is enabled (which we assume it's
enabled in production).
---
 config/application.rb                | 11 -----------
 config/danbooru_default_config.rb    | 20 --------------------
 config/initializers/session_store.rb |  2 +-
 3 files changed, 1 insertion(+), 32 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index 0b05cff10..5b6030b2f 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -46,17 +46,6 @@ module Danbooru
 
     config.log_tags = [->(req) {"PID:#{Process.pid}"}]
     config.action_controller.action_on_unpermitted_parameters = :raise
-    config.force_ssl = true
-
-    if Rails.env.production? && Danbooru.config.ssl_options.present?
-      config.ssl_options = Danbooru.config.ssl_options
-    else
-      config.ssl_options = {
-        hsts: false,
-        secure_cookies: false,
-        redirect: { exclude: ->(request) { true } }
-      }
-    end
 
     if File.exist?("#{config.root}/REVISION")
       config.x.git_hash = File.read("#{config.root}/REVISION").strip
diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb
index 90a67efe5..6a0226e38 100644
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -187,26 +187,6 @@ module Danbooru
       }
     end
 
-    # Permanently redirect all HTTP requests to HTTPS.
-    #
-    # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
-    # http://api.rubyonrails.org/classes/ActionDispatch/SSL.html
-    def ssl_options
-      {
-        redirect: { exclude: ->(request) { request.subdomain == "insecure" } },
-        hsts: {
-          expires: 1.year,
-          preload: true,
-          subdomains: false
-        }
-      }
-    end
-
-    # Disable the forced use of HTTPS.
-    # def ssl_options
-    #   false
-    # end
-
     # The name of the server the app is hosted on.
     def server_host
       Socket.gethostname
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 4d686690f..6cb8f0eb3 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_danbooru2_session', domain: :all, tld_length: 2, same_site: :lax
+Rails.application.config.session_store :cookie_store, key: '_danbooru2_session', domain: :all, tld_length: 2, same_site: :lax, secure: Rails.env.production?