Find file History
Pull request Compare This branch is 22 commits ahead of rails:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Enforce SSL for you controllers

this is derived from the rails/ssl_requirement and adopted a more strict approach: secure everything and open it when and where needed.


it requires rails3. for installation add the gem in Gemfile

        gem 'enforce-ssl'

this activates the enforce-ssl before_filter for all controllers, i.e.
all requests which comes in as http will be redirected to the https url obeying the configured ssl port.

configure the ssl/no_ssl port

configure the enforced ssl port with (default => { development => 8080/8443, production => 80/443)

  config.ssl_port = 8443
   config.no_ssl_port = 8080

for development you can do that in config/environments/development.rb.

configure HSTS – HTTP Strict Transport Security

there are two config parameters for HSTS: hsts_include_sub_domain (default false) and hsts_max_age (default 31536000 which is one year in seconds).

these configuration is only used during production so it sufficient to configure it in config/environments/production.rb

  config.hsts_include_sub_domain = false
   config.hsts_max_age = 31536000

using a webserver which listens to http + https

if your Gemfile allows to use JRuby as interpreter then you can use the jetty-run from the ruby-maven gem (jruby only) to have both an http and an https port listing for requests. that is how the defaults are set up.

webrick can handle ssl as well. here a blog which explains how to get ssl working for webrick and rails3. but you have only ssl then and you need to configure the ssl_port correctly.

maybe other servers can offer both ssl and none-ssl . . .

NOTE: use https:// in your url when using the ssl port or webrick with ssl

allow http for some controllers or some actions

use the skip_before_filter declaration with its :only and :except options to controll where you want to allow http along side https.

skip_before_filter :enforce_ssl


skip_before_filter :enforce_ssl, :only => :index


skip_before_filter :enforce_ssl, :except => :show