Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.3k views
in Technique[技术] by (71.8m points)

ssl - What does force_ssl do in Rails?

In a previous question I found out that I should be setting nginx ssl termination and not having Rails process encrypted data.

Then why does the following exist?

config.force_ssl = true

I see this commented out in the production config file. But if the expectation is that nginx will handle all the ssl stuff so that my rails app doesn't deal with encrypted data then what does config.force_ssl = true do?

Should I leave it commented out in production if I know I will always be using nginx?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

It doesn't just force your browser to redirect HTTP to HTTPS. It also sets your cookies to be marked "secure", and it enables HSTS, each of which are very good protections against SSL stripping.

Even though HTTPS protects your app at "https://example.com/yourapp" against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit "http://example.com/yourapp". With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...