In Rails 5 we can do something like:
config.ssl_options = { hsts: { expires: 10.days } }
I found an old article that says I can enforce it with
before_filter :strict_transport_security
def strict_transport_security
if request.ssl?
response.headers['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains"
end
end
In this file there is a HSTS method, does this mean it is on by default in Rails 4.2? https://github.com/rails/rails/blob/4-2-stable/actionpack/lib/action_dispatch/middleware/ssl.rb
Rails 5 added more options that you can specify in ssl_options, but rails 4 already had basic ones, including hsts: { expires: 10.days, subdomains: false }, as you see in code.
config.force_ssl = true
config.ssl_options = { hsts: { expires: 10.days, subdomains: false } }