| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
|
| | |
|
| |
|
|
|
| |
This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing
changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
|
| | |
|
| |
|
|
|
| |
This is the intended behavior. You should not do more than one request
in a controller test.
|
| | |
|
| |
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
| |
|
|
|
| |
This bug affects `wss://` requests when running Action Cable in-app.
Fixes #23620.
|
| |
|
|
|
|
|
|
|
| |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
| | |
|
| |
|
|
|
|
|
| |
supercaracal/fix_force_ssl_redirection_flash_error"
This reverts commit d215620340be7cb29e2aa87aab22da5ec9e6e6a7, reversing
changes made to bbbbfe1ac02162ecb5e9a7b560134a3221f129f3.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Non-kwargs requests are deprecated now.
Guides are updated as well.
`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
|
| | |
|
| |
|
|
|
|
|
|
| |
This commit adds support for passing additional url options along
with a :status option and any of the flash-related options to
`redirect_to` (i.e. :flash, :alert & :notice).
Closes #7570.
|
| |
|
|
|
|
|
|
|
|
|
| |
The `force_ssl` command now builds the redirect url from `request.fullpath`.
This ensures that the format is maintained and it doesn't redirect to a route
that has the same parameters but is defined earlier in `routes.rb`. Also any
optional segments are maintained.
Fixes #7528.
Fixes #9061.
Fixes #10305.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this patch the existing .force_ssl method handles both defining
the filter and handling the logic for performing the redirect.
With this patch the logic for redirecting to the HTTPS protocol is
separated from the filter logic that determines if a redirect should
occur. By separating the two levels of behavior, an instance method
for ActionController (i.e. #force_ssl_redirect) is exposed and available
for more granular SSL enforcement.
Cleaned up indentation.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
`ActionController.force_ssl` redirects http URLs to their https equivalent;
however, when a URL contains a query string, the resulting redirect lacked the
original query string.
Conflicts:
actionpack/lib/action_controller/metal/force_ssl.rb
|
| |
|
|
|
|
| |
* Check for performed? instead of response_body
* Change performed? to return a boolean
* Refactor AC::Metal#response_body= to reuse variable
|
| |
|
|
| |
moving from a non-secure to secure environment, it's safe
|
| | |
|
|
|
protocol
This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action.
This featured was requested by DHH.
|
