![](/style/images/good.png)
![](/style/images/bad.png)
Enhancing Security in Ruby on Rails - SSL Enforcement by Default
source link: https://blog.saeloun.com/2023/10/10/rails-force-ssl-true-production/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Enhancing Security in Ruby on Rails - SSL Enforcement by Default
Oct 10, 2023 1 minute readWhile developing web apps, the security of the apps is of prime importance, especially with the apps that handle the sensitive data of users. The use of SSL(Secure Sockets Layer) is very critical for web application security. It is a protocol that provides secure communication over the Internet.
In this blog, we will go through the use of SSL, the default behavior of SSL enforcement in earlier versions of Rails,
and the change introduced in Rails 7.1
in the default behavior in the production.rb
file.
SSL: A brief overview
SSL is a security protocol for encrypting data sent between the client(web browser) and the server. It protects information such as user identity, credit card details, and personal data.
In Rails applications, the config.force_ssl
setting in
the production.rb
file is used to enforce the use of
SSL for incoming requests when the app is running in
the production environment.
Before: The default behavior
In earlier versions of Rails the config.force_ssl
was
commented out and not explicitly set. So, the application
will work over both HTTP
and HTTPS
if the SSL
certificate is configured.
Let’s take an example to understand the behaviour. I have setup a sample app
and the config_force_ssl
is commented out. Now, If I visit the root path
with http
, it is rendering the view. From the address bar we can also see
that the http
(Not secure) was used while making the request.
![before-http.png](https://blog.saeloun.com/images/rails-force-ssl/before-http.png)
After: The default behavior
From Rails 7.1
there has been a
change
in the default behavior.
The config.force_ssl
setting in production.rb
will
be set to true
by default.
Becasue of this all the incoming requests
in the production environment will be automatically redirected
to their HTTPS
URL which will ensure secure data communication.
We can see the above change with the help of an example. I have setup a Rails 7.1
app
and the config_force_ssl
is set to true
by default.
From the below attached images we can see that we made a request using http
but it
was automatically redirected to the https
.
Also, the page was not loaded because we don’t have a SSL certifcate, else this error won’t be shown here.
Share this post!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK