class Helmet::StrictTransportSecurityHandler

Overview

This handler adds the Strict-Transport-Security header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". (See the spec for more.)

Tell browsers to use HTTPS for the next 90 days

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::StrictTransportSecurityHandler.new(90.day),
  # ...
])

Include subdomains

You can also include subdomains. If this is set on example.com, supported browsers will also use HTTPS on my-subdomain.example.com. Here's how you do that:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::StrictTransportSecurityHandler.new(90.day,
    include_subdomains: true),
  # ...
])

Bake this into Chrome

Chrome lets you submit your site for baked-into-Chrome HSTS by adding preload to the header. You can add that with the following code, and then submit your site to the Chrome team at hstspreload.appspot.com.

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::StrictTransportSecurityHandler.new(90.day,
    include_subdomains: true,
    preload: true),
  # ...
])

Note that the max-age (the first argument) must be at least 18 weeks to be approved by Google. The include_subdomains option must also be set.

Defined in:

helmet/stricttransportsecurityhandler.cr

Class Method Summary

Instance Method Summary

Class Method Detail

def self.new(max_age : Time::Span, include_subdomains : Bool = false, preload : Bool = false) #

[View source]

Instance Method Detail

def call(context : HTTP::Server::Context) #

[View source]