From 817dac1c48c7f28b2cc5f80b3b85f44388f193d0 Mon Sep 17 00:00:00 2001
From: Thibaut Courouble <thibaut@me.com>
Date: Sun, 25 Nov 2018 12:29:56 -0500
Subject: [PATCH] Enable HTTP Strict-Transport-Security

---
 lib/app.rb       | 2 +-
 test/app_test.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/app.rb b/lib/app.rb
index bc80c62a..32cac31b 100644
--- a/lib/app.rb
+++ b/lib/app.rb
@@ -12,7 +12,7 @@ class App < Sinatra::Application
   Rack::Mime::MIME_TYPES['.webapp'] = 'application/x-web-app-manifest+json'
 
   configure do
-    use Rack::SslEnforcer, only_environments: ['production', 'test'], hsts: false, force_secure_cookies: false
+    use Rack::SslEnforcer, only_environments: ['production', 'test'], hsts: true, force_secure_cookies: false
 
     set :sentry_dsn, ENV['SENTRY_DSN']
     set :protection, except: [:frame_options, :xss_header]
diff --git a/test/app_test.rb b/test/app_test.rb
index 77975a9d..92a24acd 100644
--- a/test/app_test.rb
+++ b/test/app_test.rb
@@ -21,6 +21,11 @@ class AppTest < MiniTest::Spec
     assert_equal 'https://example.com/test?q=1', last_response['Location']
   end
 
+  it 'returns HSTS header' do
+    get 'https://example.com/test'
+    assert_equal 'max-age=31536000; includeSubDomains', last_response['Strict-Transport-Security']
+  end
+
   describe "/" do
     it "works" do
       get '/'