Closed jduss4 closed 5 years ago
@techgique can you take a look and see if those should be committed?
jdussault@cors1601 /var/local/www/rails/cdrhapi.unl.edu/v1 $ git diff diff --git a/config/environments/production.rb b/config/environments/production.rb index 179a06a..e9bbd6f 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -32,7 +32,11 @@ Rails.application.configure do # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. - # config.force_ssl = true + config.force_ssl = true + + # Handle STS here instead of Apache, or Rails duplicates header contents + # Also unset cache-control header in HTTPS vhost for same reason + config.ssl_options = { hsts: { preload: true } } # Use the lowest log level to ensure availability of diagnostic information # when problems arise. diff --git a/config/initializers/new_framework_defaults.rb b/config/initializers/new_framework_defaults.rb index d859e4b..4f869a0 100644 --- a/config/initializers/new_framework_defaults.rb +++ b/config/initializers/new_framework_defaults.rb @@ -15,4 +15,4 @@ Rails.application.config.active_record.belongs_to_required_by_default = true ActiveSupport.halt_callback_chains_on_return_false = false # Configure SSL options to enable HSTS with subdomains. Previous versions had false. -Rails.application.config.ssl_options = { hsts: { subdomains: true } } +#Rails.application.config.ssl_options = { hsts: { subdomains: true } }
Looks like these changes were committed and are all as they should be. Those new_framework_defaults initializers will probably need review upon further Rails upgrades, but that is a separate issue.
new_framework_defaults
@techgique can you take a look and see if those should be committed?