Merge pull request #1855 from chef/robb/add-hsts

add HTTP strict transport security header when force SSL is enabled

omnibus/cookbooks/omnibus-supermarket/recipes/app.rb

@@ -25,7 +25,7 @@
 
 file 'environment-variables' do
   path "#{node['supermarket']['var_directory']}/etc/env"
-  content Supermarket::Config.environment_variables_from(node['supermarket'])
+  content Supermarket::Config.environment_variables_from(node['supermarket'].merge('force_ssl' => node['supermarket']['nginx']['force_ssl']))
   owner node['supermarket']['user']
   group node['supermarket']['group']
   mode '0600'

omnibus/cookbooks/omnibus-supermarket/test/integration/default/inspec/controls/install-check.rb

@@ -95,11 +95,13 @@
       its('protocols') { should include 'tcp' }
     end
 
-    describe "http GET to Port #{property['supermarket']['nginx']['ssl_port']}" do
-      subject { http("http://localhost:#{property['supermarket']['nginx']['ssl_port']}", ssl_verify: false) }
+    describe http("https://#{property['supermarket']['fqdn']}:#{property['supermarket']['nginx']['ssl_port']}", ssl_verify: false) do
       it 'should not include server version number in response headers' do
         expect(subject.headers.server).to cmp('nginx')
       end
+
+      its('headers.keys') { should include('strict-transport-security') }
+      its('headers.Strict-Transport-Security') { should include('max-age=') }
     end
   end
 end

src/supermarket/config/environments/production.rb

@@ -47,7 +47,7 @@
   # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = (ENV["FORCE_SSL"] == "true")
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.