What does force_ssl do in Rails?

Asked 28/3, 2013 at 7:47 Answered 13/9, 2016 at 17:57

105

In a previous question I found out that I should be setting nginx ssl termination and not having Rails process encrypted data.

Then why does the following exist?

config.force_ssl = true

I see this commented out in the production config file. But if the expectation is that nginx will handle all the ssl stuff so that my rails app doesn't deal with encrypted data then what does config.force_ssl = true do?

Should I leave it commented out in production if I know I will always be using nginx?

Evaleen answered 28/3, 2013 at 7:47 Comment(0)

It doesn't just force your browser to redirect HTTP to HTTPS. It also sets your cookies to be marked "secure", and it enables HSTS, each of which are very good protections against SSL stripping.

Even though HTTPS protects your app at "https://example.com/yourapp" against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit "http://example.com/yourapp". With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.

Masthead answered 4/11, 2014 at 15:4 Comment(4)

The source of force_ssl contains no indication of HSTS being enabled by this option – Downs 31/1, 2015 at 22:33

@Downs This is a separate per-controller force_ssl property. The force_ssl config variable, which installs the Rack::SSL middleware, which does enable HSTS by default. – Somatotype 9/2, 2015 at 6:45

@Downs you're looking in the wrong place: github.com/rails/rails/blob/… – Predicative 11/7, 2015 at 23:45

it sounds like config.force_ssl = true should be the default, why did the rails team comment it out as default? – Lowspirited 3/9, 2018 at 0:33

Setting config.force_ssl includes ActionDispatch::SSL. The ActionDispatch::SSL docs describe the functionality as follows (emphases added for clarity):

See the includes here and the docs for ActionDispatch::SSL here.

DOCS

This middleware is added to the stack when config.force_ssl = true, and is passed the options set in config.ssl_options. It does three jobs to enforce secure HTTP requests:

TLS redirect: Permanently redirects http:// requests to https:// with the same URL host, path, etc. Enabled by default. Set config.ssl_options to modify the destination URL (e.g. redirect: { host: "secure.widgets.com", port: 8080 }), or set redirect: false to disable this feature.
Secure cookies: Sets the secure flag on cookies to tell browsers they mustn't be sent along with http:// requests. Enabled by default. Set config.ssl_options with secure_cookies: false to disable this feature.
HTTP Strict Transport Security (HSTS): Tells the browser to remember this site as TLS-only and automatically redirect non-TLS requests. Enabled by default. Configure config.ssl_options with hsts: false to disable. Set config.ssl_options with hsts: { … } to configure HSTS:
- expires: How long, in seconds, these settings will stick. Defaults to 180.days (recommended). The minimum required to qualify for browser preload lists is 18.weeks.
- subdomains: Set to true to tell the browser to apply these settings to all subdomains. This protects your cookies from interception by a vulnerable site on a subdomain. Defaults to true.
- preload: Advertise that this site may be included in browsers' preloaded HSTS lists. HSTS protects your site on every visit except the first visit since it hasn't seen your HSTS header yet. To close this gap, browser vendors include a baked-in list of HSTS-enabled sites. Go to https://hstspreload.appspot.com to submit your site for inclusion. To turn off HSTS, omitting the header is not enough. Browsers will remember the original HSTS directive until it expires. Instead, use the header to tell browsers to expire HSTS immediately. Setting hsts: false is a shortcut for hsts: { expires: 0 }.

Requests can opt-out of redirection with exclude:

config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }

Pyrology answered 13/9, 2016 at 17:57 Comment(2)

"Requests can opt-out of redirection with exclude" - Warning: this feature was only added recently in Rails 5, so won't work for those of us on Rails 4.2 or below – Timon 3/11, 2016 at 13:8

I believe the exclude global options was available a long time before Rails 5, so it's slightly different syntaxt: config.ssl_options = { exclude: proc { |env| env['PATH_INFO'].start_with?('/healthcheck/') } } — serverfault.com/a/517401 – Luddite 12/10, 2018 at 18:53

This setting forces HTTPS by redirecting HTTP requests to their HTTPS counterparts. So a browser visiting http://domain.com/path will be redirected to https://domain.com/path.

Leaving the setting commented out would allow both protocols.

You still have to configure your web server to handle HTTPS requests.

Indianapolis answered 28/3, 2013 at 8:13 Comment(4)

But if you enable HTTPS at nginx level (by redirecting everything to HTTPS via redirect 301 https:...), wouldn't EVERYTHING be going through https, thus config.force_ssl = true doesn't really do anything (since nothing will ever be http)? Or is there a deeper security reason here? – Ailin 30/9, 2014 at 6:26

@TristanTao yes, that would work just as well. But even then, I would leave config.force_ssl enabled, just in case someone is removing the redirect from the web server's config. – Indianapolis 30/9, 2014 at 6:47

be careful doh, config.force_ssl is bit different than force_ssl in controller in terms of securing cookies against session hijacking more here: eq8.eu/blogs/… – Blueberry 11/5, 2015 at 16:36

also note, that having both config.force_ssl and add_header Strict-Transport-Security max-age=...; will result in 2 Strict-Transport-Security headers – Underskirt 1/8, 2018 at 13:9

It forces all communication with the server to be encrypted and use SSL, i.e. through HTTPS.

When you include it in a controller that controller will only accept HTTPS requests.

Helpful links:

Gaitskell answered 28/3, 2013 at 7:52 Comment(0)

DOCS

Recommended topics

Hot tags