How To: Use SSL (HTTPS)

Felix Wolfsteller edited this page Apr 6, 2015 · 11 revisions
Clone this wiki locally

The examples below only show how to make devise views into SSL. Since Rails uses a cookie for its sessions, it is recommended that the entire website should use SSL for security reasons.

Using the SSL Requirement plugin:

For Devise 1.0, one way to do sign_in over SSL is:

# in app/controllers/application_controller.rb

class ApplicationController < ActionController::Base
  include SslRequirement


# in config/environment.rb
config.to_prepare do
  SessionsController.ssl_required :new, :create
  RegistrationsController.ssl_required :new, :create

Devise 1.1 you need to do at the bottom:

Devise::SessionsController.ssl_required :new, :create

If the code above just requires ssl on the first request in development, you may need to move the last line to a config.to_prepare block inside config/application.rb or config/environment.rb:

config.to_prepare { SessionsController.ssl_required :new, :create }

Rails 3.1 no longer needs the ssl_requirement gem. Just place this in your environment file:

#in config/environments/production.rb
config.to_prepare { Devise::SessionsController.force_ssl }
config.to_prepare { Devise::RegistrationsController.force_ssl }
config.to_prepare { Devise::PasswordsController.force_ssl }
# or your customized controller, extending from Devise

Also, if using confirmable and you want the confirmation links set to https in your sent mails, consider setting

#config/environments/production.rb (rails 4.1)
  config.action_mailer.default_url_options = { protocol: 'https', :host => 'YOUR_HOST' }

And make sure to enable SSL on the server (Nginx, Apache, etc.). If the servers are not configured properly, Rails will not recognize the request as SSL (even if it is), and cause an infinite redirect loop.

For Nginx you need to add the following line to your nginx.conf: proxy_set_header X-FORWARDED-PROTO $scheme; This will forward the protocol to your app (https|http)

For Apache you can set: RequestHeader set X-FORWARDED-PROTO 'https'