diff options
author | Prem Sichanugrist <s@sikachu.com> | 2011-03-27 23:55:46 +0700 |
---|---|---|
committer | David Heinemeier Hansson <david@loudthinking.com> | 2011-03-27 13:27:23 -0700 |
commit | 2c0c4d754e34b13379dfc53121a970c25fab5dae (patch) | |
tree | a911462aeb8f1bd2e8df9d255708d074cfdf37ce /railties/guides/source | |
parent | b2d94322e6f2c2324154465147938ca8b16c610d (diff) | |
download | rails-2c0c4d754e34b13379dfc53121a970c25fab5dae.tar.gz rails-2c0c4d754e34b13379dfc53121a970c25fab5dae.tar.bz2 rails-2c0c4d754e34b13379dfc53121a970c25fab5dae.zip |
Add `config.force_ssl` configuration which will load `Rack::SSL` middleware if set to true
This will allow user to be able to force all requests to be under HTTPS protocol.
This commit was a request from DHH. Special thanks to Josh Peek as well for making `Rack::SSL`.
Diffstat (limited to 'railties/guides/source')
-rw-r--r-- | railties/guides/source/configuring.textile | 3 | ||||
-rw-r--r-- | railties/guides/source/security.textile | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/railties/guides/source/configuring.textile b/railties/guides/source/configuring.textile index 62b846e871..04e2d6daed 100644 --- a/railties/guides/source/configuring.textile +++ b/railties/guides/source/configuring.textile @@ -81,6 +81,8 @@ end * +config.filter_parameters+ used for filtering out the parameters that you don't want shown in the logs, such as passwords or credit card numbers. +* +config.force_ssl+ forcing all requests to be under HTTPS protocol by using +Rack::SSL+ middleware. This will secure your application from a session hijack attempt. + * +config.helper_paths+ configures where Rails can find helpers for this application. * +config.log_level+ defines the verbosity of the Rails logger. In production mode, this defaults to +:info+. In development mode, it defaults to +:debug+. @@ -147,6 +149,7 @@ h4. Configuring Middleware Every Rails application comes with a standard set of middleware which it uses in this order in the development environment: +* +Rack::SSL+ Will force every requests to be under HTTPS protocal. Will be available if +config.force_ssl+ is set to _true_. * +ActionDispatch::Static+ is used to serve static assets. Disabled if +config.serve_static_assets+ is _true_. * +Rack::Lock+ Will wrap the app in mutex so it can only be called by a single thread at a time. Only enabled if +config.action_controller.allow_concurrency+ is set to _false_, which it is by default. * +ActiveSupport::Cache::Strategy::LocalCache+ Serves as a basic memory backed cache. This cache is not thread safe and is intended only for serving as a temporary memory cache for a single thread. diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 182f3631ef..893f65856c 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -57,7 +57,11 @@ Many web applications have an authentication system: a user provides a user name Hence, the cookie serves as temporary authentication for the web application. Everyone who seizes a cookie from someone else, may use the web application as this user – with possibly severe consequences. Here are some ways to hijack a session, and their countermeasures: -* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. This is one more reason not to work from a coffee shop. For the web application builder this means to _(highlight)provide a secure connection over SSL_. +* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. This is one more reason not to work from a coffee shop. For the web application builder this means to _(highlight)provide a secure connection over SSL_. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file: + +<ruby> +config.force_ssl = true +</ruby> * Most people don't clear out the cookies after working at a public terminal. So if the last user didn't log out of a web application, you would be able to use it as this user. Provide the user with a _(highlight)log-out button_ in the web application, and _(highlight)make it prominent_. |