Hi, if you want to use only HTTPS with all secure options, I recommend you
to uncomment the default production environment option in
config/environments/production.rb :
# Force all access to the app over SSL, use Strict-Transport-Security,
and use secure cookies.
# config.force_ssl = true
Rails provide the complete secure HTTPS stack :
- secure flag in session cookie,
- Http Strict-Transport-Security,
- redirect http to htttps.
Cheers,
Florian
Le jeudi 1 septembre 2016 15:14:34 UTC+2, Rodrigo Rosenfeld Rosas a écrit :
>
> Hi, currently Rails apps will have something like this by default in the
> initializers:
>
> Rails.application.config.session_store :cookie_store, key:
> '_my_app_session'
>
> This will not set the "secure" flag in the _my_app_session cookie. It
> can be set by providing the {secure: true} option to session_store, but
> this happens at boot time rather than at request time. This has two
> problems in my opinion:
>
> 1 - Rails isn't safe by default (to the extent of an secure cookie);
>
> 2 - It's not possible to serve the same application over different
> domains when one of them is served over HTTPS and other over HTTP
> (unless insecure cookies are used for both); this could be useful for
> some multi-tenant applications that will customize any views or behavior
> based on the request's domain, while some clients are willing to use a
> certificate while others are not (maybe managing free Let's Encrypt
> certificates would not be desired and not all clients are willing to pay
> for the certificates).
>
> To fix the second case, Rails could introduce a {secure: :if_ssl} or
> {conditionally_secure: true} option to allow the secure flag to be set
> if request.ssl? is true. The first case would be fixed making this
> option the default one.
>
> What do you think?
>
> Best,
>
> Rodrigo.
>
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
