Unfortunately this won't work for the cases where the same application serves multiple domains but only some of them have an SSL certificate. Also it can't be enabled by default since not everyone is serving over HTTPS. What I suggested can be enabled by default out of the box improving security a little bit by default without breaking http apps.
Em 7 de set de 2016 13:57, "Florian Wininger" <[email protected]> escreveu: > Hi, if you want to use only HTTPS with all secure options, I recommend you > to uncomment the default production environment option in > config/environments/production.rb : > > # Force all access to the app over SSL, use Strict-Transport-Security, > and use secure cookies. > # config.force_ssl = true > > Rails provide the complete secure HTTPS stack : > - secure flag in session cookie, > - Http Strict-Transport-Security, > - redirect http to htttps. > > Cheers, > Florian > > Le jeudi 1 septembre 2016 15:14:34 UTC+2, Rodrigo Rosenfeld Rosas a écrit : >> >> Hi, currently Rails apps will have something like this by default in the >> initializers: >> >> Rails.application.config.session_store :cookie_store, key: >> '_my_app_session' >> >> This will not set the "secure" flag in the _my_app_session cookie. It >> can be set by providing the {secure: true} option to session_store, but >> this happens at boot time rather than at request time. This has two >> problems in my opinion: >> >> 1 - Rails isn't safe by default (to the extent of an secure cookie); >> >> 2 - It's not possible to serve the same application over different >> domains when one of them is served over HTTPS and other over HTTP >> (unless insecure cookies are used for both); this could be useful for >> some multi-tenant applications that will customize any views or behavior >> based on the request's domain, while some clients are willing to use a >> certificate while others are not (maybe managing free Let's Encrypt >> certificates would not be desired and not all clients are willing to pay >> for the certificates). >> >> To fix the second case, Rails could introduce a {secure: :if_ssl} or >> {conditionally_secure: true} option to allow the secure flag to be set >> if request.ssl? is true. The first case would be fixed making this >> option the default one. >> >> What do you think? >> >> Best, >> >> Rodrigo. >> >> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
