class Helmet::StrictTransportSecurityHandler
- Helmet::StrictTransportSecurityHandler
- HTTP::Handler
- Reference
- Object
Overview
This handler adds the Strict-Transport-Security
header to the response.
This tells browsers, "hey, only use HTTPS for the next period of time".
(See the spec for more.)
Tell browsers to use HTTPS for the next 90 days
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::StrictTransportSecurityHandler.new(90.day),
# ...
])
Include subdomains
You can also include subdomains. If this is set on example.com, supported browsers will also use HTTPS on my-subdomain.example.com. Here's how you do that:
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::StrictTransportSecurityHandler.new(90.day,
include_subdomains: true),
# ...
])
Bake this into Chrome
Chrome lets you submit your site for baked-into-Chrome HSTS by adding
preload
to the header. You can add that with the following code, and then
submit your site to the Chrome team at hstspreload.appspot.com.
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::StrictTransportSecurityHandler.new(90.day,
include_subdomains: true,
preload: true),
# ...
])
Note that the max-age (the first argument) must be at least 18 weeks to be
approved by Google. The include_subdomains
option must also be set.