Add strict transport security (#2725)

* enables strict transport security

* adds specs

---------

Co-authored-by: Sri Harsha <sriharsha.poosa@gmail.com>

app/controllers/welcome_controller.rb

@@ -1,5 +1,6 @@
 class WelcomeController < ApplicationController
   skip_before_action :require_login
+  before_action :set_cookie_attributes, only: [:index]
 
   def show_hints
     current_user.hints = !current_user.hints
@@ -12,4 +13,11 @@ def index; end
   def form_template
     # created for generic form template access at '/templates/form-template'
   end
+
+  private
+
+  def set_cookie_attributes
+    response.headers['Set-Cookie'] = "_session_id=#{session.id}; SameSite=Strict; Secure=true; HttpOnly"
+    response.headers['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload"
+  end
 end

config/environments/production.rb

@@ -50,7 +50,7 @@
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.

spec/controllers/welcome_controller_spec.rb

@@ -12,6 +12,12 @@
       it "renders welcome index" do
         expect(response).to render_template("index")
       end
+
+      it "has Cookie attributes" do
+        expect(response.headers["Set-Cookie"]).to match(/SameSite=Strict/)
+        expect(response.headers["Set-Cookie"]).to match(/HttpOnly/)
+        expect(response.headers["Strict-Transport-Security"]).to match(/max-age=31536000; includeSubDomains; preload/)
+      end
     end
 
     context "when not signed in" do
@@ -59,4 +65,4 @@
     get :index
     expect(response).to have_http_status(:success)
   end
-end
+end