Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Completely disable exception debug pages in prod

  • Loading branch information...
commit eb6e816ecb7cc945657169985034c77ac7d23082 1 parent 5d409f2
@jamiecobbett jamiecobbett authored
Showing with 9 additions and 0 deletions.
  1. +9 −0 config/environments/production.rb
View
9 config/environments/production.rb
@@ -8,6 +8,15 @@
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
+ # Disable even limited exception/debug pages in production for two reasons:
+ # 1) our backend rails apps get X-Forwarded-For & Client-IP for all requests
+ # as 10.x.x.x, which is a trusted proxy. This means they render the
+ # limited exception/debug pages.
+ # 2) our backend rails apps receive requests from other apps that might
+ # appear to be on trusted proxy IPs, so we might render exception/debug
+ # page, which could then be exposed in a frontend app to the world.
+ config.action_dispatch.show_exceptions = false
+
# Disable Rails's static asset server (Apache or nginx will already do this)
config.serve_static_assets = false

4 comments on commit eb6e816

@nickstenning

I'm not sure you want to do this. This will cause an ActionController::RoutingError (aka a 404) to be raised as a 500.

@jamiecobbett

You seem to be correct, but I'm at a loss to explain why.

@nickstenning

Because ActionDispatch::ShowExceptions is responsible for turning exceptions into error pages. And one of it's special cases is responsible for turning ActionController::RoutingError into an HTTP 404.

The only way to achieve what you're trying to achieve used to be to override ActionController::Base#local_request? to always return false, but I think that might have changed in Rails 3.

@jamiecobbett

RAILS! :rage:

Please sign in to comment.
Something went wrong with that request. Please try again.