Delegate HSTS to nginx.

Remove the ssl_options config option. Let nginx handle HSTS and http->https redirects instead. At the rails level, all we need to do is set the secure cookie flag when https is enabled (which we assume it's enabled in production).
2020-01-07 11:49:46 -06:00
parent a4419b1e3d
commit d00308c43d
3 changed files with 1 additions and 32 deletions
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -187,26 +187,6 @@ module Danbooru
      }
    end

-    # Permanently redirect all HTTP requests to HTTPS.
-    #
-    # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
-    # http://api.rubyonrails.org/classes/ActionDispatch/SSL.html
-    def ssl_options
-      {
-        redirect: { exclude: ->(request) { request.subdomain == "insecure" } },
-        hsts: {
-          expires: 1.year,
-          preload: true,
-          subdomains: false
-        }
-      }
-    end
-
-    # Disable the forced use of HTTPS.
-    # def ssl_options
-    #   false
-    # end
-
    # The name of the server the app is hosted on.
    def server_host
      Socket.gethostname