What does force_ssl do in Rails?

by

It doesn’t just force your browser to redirect HTTP to HTTPS. It also sets your cookies to be marked “secure”, and it enables HSTS, each of which are very good protections against SSL stripping.

Even though HTTPS protects your app at “https://example.com/yourapp” against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit “http://example.com/yourapp“. With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.

More Related Contents:

  1. SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
  2. SSL Error When installing rubygems, Unable to pull data from ‘https://rubygems.org/
  3. bundle install fails with SSL certificate verification error
  4. How to solve “certificate verify failed” on Windows?
  5. How do you configure WEBrick to use SSL in Rails?
  6. “Incomplete response received from application” from nginx / passenger
  7. 400 Bad Request – request header or cookie too large
  8. Can nginx be used as a reverse proxy for a backend websocket server?
  9. Heroku SSL on root domain
  10. Force SSL using ssl_requirement in Rails 2 app
  11. 403 Forbidden on Rails app w/ Nginx, Passenger
  12. Fully custom validation error message with Rails
  13. Rails where condition using NOT NIL
  14. devise and multiple “user” models
  15. How are Rails instance variables passed to views?
  16. STI, one controller
  17. Adding cookie session store back to Rails API app
  18. Rails 4 images not loading on heroku
  19. How to execute a raw update sql with dynamic binding in rails
  20. Why do people use Heroku when AWS is present? What distinguishes Heroku from AWS? [closed]
  21. How to `bundle install` when your Gemfile requires an older version of bundler?
  22. undefined method `get’ for #
  23. Find unused code in a Rails app
  24. Paginating an Array in Ruby with will_paginate
  25. How can I rollback a specific migration?
  26. undefined method `visit’ when using RSpec and Capybara in rails
  27. Rails: How to parse date-time string into a specific time zone
  28. Error message: Make sure that `gem install pg -v ‘0.18.1’` succeeds before bundling
  29. Rails 4.0 expire_fragment/cache expiration not working
  30. How to skip a before_filter for Devise’s SessionsController?

Leave a Comment