Hi everyone, This is Ryan and I would like to say that I am new to web development in general. Any help/ feedback is appreciated greatly. I have turned on PiggyBack SSL for my app. To ensure a secure app, could I confirm the following:
For :get For get requests, I check the "x-forwarded-proto" for "http" and redirect (302) all http :get requests to the https-url. From my understanding, there's a load balancer in front of the app server, hence you can't merely check for :http under :scheme in the header. Hence, you need to check the "x-forwarded-proto" to see if the client made a HTTP or HTTPS request. For :post Similarly, for :post, I set the "action" field of a form to the https version of the uri. For cookies Will PiggyBackSSL work if I set the cookie to HTTPonly and :secure to true? I apologize in advance if my understanding is not clear. Thank you, Ryan -- You received this message because you are subscribed to the Google Groups "Heroku" group. To view this discussion on the web visit https://groups.google.com/d/msg/heroku/-/n297VtPX9NsJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
