Onion service related changes to HTTPS handling (#15560)

* Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland <me@drbonez.dev>
author: Cecylia Bocovich <cohosh@torproject.org> 2021-02-10 22:40:13 -0500
committer: GitHub <noreply@github.com> 2021-02-11 04:40:13 +0100
commit: e79f8dd85cb63125185fdf711f470c298a0b5dbc (patch)
tree: c27f1d0e2cd45262934fd5729e9ae3cd824747b3 /config/initializers/secureheaders.rb
parent: d499bb031f0d20a5f27facfd57cf4e00f89003d7 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb
new file mode 100644
index 000000000..6c8ac7fbe
--- /dev/null
+++ b/config/initializers/secureheaders.rb
@@ -0,0 +1,10 @@
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: true,
+    httponly: true,
+    samesite: {
+      lax: true
+    }
+  }
+  config.csp = SecureHeaders::OPT_OUT
+end
author	Cecylia Bocovich <cohosh@torproject.org>	2021-02-10 22:40:13 -0500
committer	GitHub <noreply@github.com>	2021-02-11 04:40:13 +0100
commit	e79f8dd85cb63125185fdf711f470c298a0b5dbc (patch)
tree	c27f1d0e2cd45262934fd5729e9ae3cd824747b3 /config/initializers/secureheaders.rb
parent	d499bb031f0d20a5f27facfd57cf4e00f89003d7 (diff)