Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

file 55 lines (29 sloc) 2.25 kb

Enforce SSL for you controllers

this is derived from the rails/ssl_requirement and adopted a more strict approach: secure everything and open it when and where needed.

usage

it requires rails3. for installation add the gem in Gemfile

        gem 'enforce-ssl'

this activates the enforce-ssl before_filter for all controllers, i.e.
all requests which comes in as http will be redirected to the https url obeying the configured ssl port.

configure the ssl/no_ssl port

configure the enforced ssl port with (default => { development => 8080/8443, production => 80/443)

  config.ssl_port = 8443
   config.no_ssl_port = 8080

for development you can do that in config/environments/development.rb.

configure HSTS – HTTP Strict Transport Security

there are two config parameters for HSTS: hsts_include_sub_domain (default false) and hsts_max_age (default 31536000 which is one year in seconds).

these configuration is only used during production so it sufficient to configure it in config/environments/production.rb

  config.hsts_include_sub_domain = false
   config.hsts_max_age = 31536000

using a webserver which listens to http + https

if your Gemfile allows to use JRuby as interpreter then you can use the jetty-run from the ruby-maven gem (jruby only) to have both an http and an https port listing for requests. that is how the defaults are set up.

webrick can handle ssl as well. here a blog which explains how to get ssl working for webrick and rails3. but you have only ssl then and you need to configure the ssl_port correctly.

maybe other servers can offer both ssl and none-ssl . . .

NOTE: use https:// in your url when using the ssl port or webrick with ssl

allow http for some controllers or some actions

use the skip_before_filter declaration with its :only and :except options to controll where you want to allow http along side https.

skip_before_filter :enforce_ssl

or

skip_before_filter :enforce_ssl, :only => :index

or

skip_before_filter :enforce_ssl, :except => :show
Something went wrong with that request. Please try again.