SSL in Ruby on Rails

There is a very good support for SSL in Ruby on Rails. Assuming that you installed a valid SSL certificat on your production server or on your PaaS Provider (Heroku), it is very easy to switch all links to https. If you want to force every link to https, just add this line to your production.rb

config.force_ssl = true

This is a good way to deliver the whole app over https. If you are writing an Online Banking Software, this is the way to go. Otherwise I would not recommend that.

There are several reasons not to deliver every page via https. The most important reason for me is speed. Usually the SSL Handshake between Server and Browser takes 50 to 100 ms. But in a bad case it can take 600 ms. That is a big performance issue.

I recommend to enable https just for certain pages. For example for Registration Pages, Login Pages and Settings Pages. That can be achieved pretty easy by adding this line to the controller.


it is like a filter. You can customize it with “only” and “except”.

class SessionsController < ApplicationController

  force_ssl :only => [:new, :create]

  def new
    @title = "Sign in"

  # ... more ruby code here


This will force just certain links to https. If you want to switch back to regular http, you can use this filter here:

def force_http
  if request.ssl? && Rails.env.production?
    redirect_to :protocol => 'http://', :status => :moved_permanently

Just add it to a controller like this:

before_filter :force_http

If you forced before everything to https and afterwards you decide to force some pages to http, than you can run in an recursive redirect issue. The Browser remembers that the pages is just available via https, but your server is redirecting to http. If you get this issue you have to clear your Browser cache.

Published by Robert Reiz

CEO @ VersionEye. Passionated software developer since 1998.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: