SSL in Ruby on Rails

There is a very good support for SSL in Ruby on Rails. Assuming that you installed a valid SSL certificat on your production server or on your PaaS Provider (Heroku), it is very easy to switch all links to https. If you want to force every link to https, just add this line to your production.rb

config.force_ssl = true

This is a good way to deliver the whole app over https. If you are writing an Online Banking Software, this is the way to go. Otherwise I would not recommend that.

There are several reasons not to deliver every page via https. The most important reason for me is speed. Usually the SSL Handshake between Server and Browser takes 50 to 100 ms. But in a bad case it can take 600 ms. That is a big performance issue.

I recommend to enable https just for certain pages. For example for Registration Pages, Login Pages and Settings Pages. That can be achieved pretty easy by adding this line to the controller.

force_ssl

it is like a filter. You can customize it with “only” and “except”.


class SessionsController < ApplicationController

  force_ssl :only => [:new, :create]

  def new
    @title = "Sign in"
  end

  # ... more ruby code here

end

This will force just certain links to https. If you want to switch back to regular http, you can use this filter here:


def force_http
  if request.ssl? && Rails.env.production?
    redirect_to :protocol => 'http://', :status => :moved_permanently
  end
end

Just add it to a controller like this:

before_filter :force_http

If you forced before everything to https and afterwards you decide to force some pages to http, than you can run in an recursive redirect issue. The Browser remembers that the pages is just available via https, but your server is redirecting to http. If you get this issue you have to clear your Browser cache.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s