From 111b017f581dc312be795447fcb03f9db9221e03 Mon Sep 17 00:00:00 2001
From: Bryan Richter <b@chreekat.net>
Date: Wed, 24 Aug 2016 18:24:32 +0300
Subject: [PATCH] Explain what sslOnlyMiddleware really does (#1262)

Doc updated per
<https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security>.

I was tipped off to the discrepancy when my site worked totally fine over
http, in spite of the claim, "This middleware makes a site functionally
inaccessible over vanilla http in all standard browsers."
---
 yesod-core/Yesod/Core/Class/Yesod.hs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yesod-core/Yesod/Core/Class/Yesod.hs b/yesod-core/Yesod/Core/Class/Yesod.hs
index 3d426982..a8e7ecb2 100644
--- a/yesod-core/Yesod/Core/Class/Yesod.hs
+++ b/yesod-core/Yesod/Core/Class/Yesod.hs
@@ -419,9 +419,9 @@ sameSiteSession s = (fmap . fmap) secureSessionCookies
 -- all responses so that browsers will rewrite all http links to https
 -- until the timeout expires. For security, the max-age of the STS header
 -- should always equal or exceed the client sessions timeout. This defends
--- against hijacking attacks on the sessions of users who attempt to access
--- the site using an http url. This middleware makes a site functionally
--- inaccessible over vanilla http in all standard browsers.
+-- against SSL-stripping man-in-the-middle attacks. It is only effective if
+-- a secure connection has already been made; Strict-Transport-Security
+-- headers are ignored over HTTP.
 --
 -- Since 1.4.7
 sslOnlyMiddleware :: Yesod site