HSTS (HTTP Strict Transport Security) prevents so called SSL stripping attacks (a certain kind of man-in-the-middle-attack): if a user conveniently types in example.com into the browser, it converts it into http://example.com automatically. The server responds with a redirect to the secured connection https://example.com. Meanwhile the HTTP request and the HTTPS response the connection could be hijacked and redirected to a HTTP spoofing page. A protocol downgrade occurs. There the user could provide sensitive data to the attacker.
HSTS secures the browser against that kind of attack by demanding the direct usage of the secured HTTPS connection. Accordingly the browser has to receive the HSTS in the header once from the domain. As soon as the browser knows the domain as HTTPS only, it always will aim https://example.com immediately.
The header entry could look like:
Strict-Transport-Security: max-age=31536000; includeSubDomains
That means, the HSTS header is valid for one year and includes all sub domains.
Ruby on Rails supports HSTS in the header by default (read, how to configure a SSL connection in Rails: Rails on HTTPS) and sets the duration to 365 days (but not for the sub domains).
Another reason for modifying the HSTS could be shortening its duration to 1 month for testing reasons. If the page has to be delivered unsecured for whatever reasons, the browser responds with an unpleasant certificate-invalid-message for the remaining time of the year.
In this use case, the header should be defined in the application_controller.rb:
before_filter :strict_transport_security private def strict_transport_security response.headers["Strict-Transport-Security"] = 'max-age=2678400; includeSubDomains' end
If there has to be a rollback to HTTPS, the method has to set the max-age to zero:
before_filter :strict_transport_security private def strict_transport_security response.headers["Strict-Transport-Security"] = 'max-age=0; includeSubDomains' end