ActionDispatch::SSL adding STS headers to non-secure redirect responses

Trying to reconcile the following:

ActionDispatch::SSL adds Strict-Transport-Security headers to all responses, including non-secure redirect-to-https responses…

however, the STS spec explicitly says:

“An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.”

http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-7.2

I’m not an expert on HSTS, but it sounds like ActionDispatch::SSL is violating the spec when it adds STS to redirect responses. Is this for a reason?

I have no evidence or reason to believe that this is causing any bugs or security issues.

Trying to reconcile the following:

ActionDispatch::SSL adds Strict-Transport-Security headers to all responses, including non-secure redirect-to-https responses…

however, the STS spec explicitly says:

“An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.”

http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-7.2

I’m not an expert on HSTS, but it sounds like ActionDispatch::SSL is violating the spec when it adds STS to redirect responses. Is this for a reason?

Likewise I’m not an HSTS expert, and can’t see any security implications of it as the header itself only contains non-sensitive information. I’d suggest opening up a pull request to fix it, it’s only going to be half a line or so, and perhaps someone can chime in there.

Pull request is here https://github.com/rails/rails/pull/11065