strict and HSTS are incompatible

[dacort]

The :strict option and enabling HSTS by default are incompatible with each other and will result in infinite loops. As :strict tries to redirect the browser to http, the user's browser tries to redirect to https due to HSTS affecting any URL on the site.

As HSTS is fairly new and only supported by Chrome and Firefox nightlies, there should be a warning or the option to disable it when used together with :strict.

[pjammer]

i just get an infinite loop without specifying anything.

I simply use this in config/application.rb:

config.middleware.use Rack::SslEnforcer

and this in the gemfile

gem "rack-ssl-enforcer", :require => 'rack/ssl-enforcer'

I assume that is all i needed to do if i wanted full site ssl, correct?

If so, i get infinite loops with no useful production log warnings, even in :debug mode.

[marzdrel]

Is there even a way to disable HSTS currently, without monkey patching? Looks like this gem is pretty useless, unless you want to force SSL on the whole site...

[thibaudgg]

fixed here: #16
Ok for you?

[rymai]

@mdrozdziel HSTS is off by default, I close this issue since it's fixed for 1 year now! :)