aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/force_ssl_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Deprecate controller level force_sslDerek Prior2018-03-301-14/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
* Use frozen string literal in actionpack/Kir Shatrov2017-07-291-0/+2
|
* Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|
* Remove unneeded FIXME noteRafael Mendonça França2016-08-291-2/+0
| | | | | This is the intended behavior. You should not do more than one request in a controller test.
* modernizes hash syntax in actionpackXavier Noria2016-08-061-19/+19
|
* applies new string literal convention in actionpack/testXavier Noria2016-08-061-31/+31
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Fix `request.ssl?` bug with Action CableJon Moss2016-02-231-0/+9
| | | | | This bug affects `wss://` requests when running Action Cable in-app. Fixes #23620.
* Stop using deprecated `render :text` in testPrem Sichanugrist2015-07-171-8/+8
| | | | | | | | | This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
* Remove `assigns` and `assert_template`.Guo Xiang Tan2015-05-301-2/+2
|
* Revert "Merge pull request #19682 from ↵Santiago Pastorino2015-04-121-25/+0
| | | | | | | supercaracal/fix_force_ssl_redirection_flash_error" This reverts commit d215620340be7cb29e2aa87aab22da5ec9e6e6a7, reversing changes made to bbbbfe1ac02162ecb5e9a7b560134a3221f129f3.
* fix a wrong feature test method nameTaishi Kasuga2015-04-111-1/+1
|
* fix fails to force_ssl_redirection if session_store is disabledTaishi Kasuga2015-04-091-0/+25
|
* Switch to kwargs in ActionController::TestCase and ActionDispatch::IntegrationKir Shatrov2015-01-291-3/+3
| | | | | | | | Non-kwargs requests are deprecated now. Guides are updated as well. `post url, nil, nil, { a: 'b' }` doesn't make sense. `post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
* Remove tests method for test cases when controller can be inferred.Guo Xiang2014-05-031-14/+1
|
* Add support for extra options to `force_ssl`Andrew White2013-04-251-14/+106
| | | | | | | | This commit adds support for passing additional url options along with a :status option and any of the flash-related options to `redirect_to` (i.e. :flash, :alert & :notice). Closes #7570.
* Use `request.fullpath` to build redirect url in `force_ssl`Andrew White2013-04-251-0/+63
| | | | | | | | | | | The `force_ssl` command now builds the redirect url from `request.fullpath`. This ensures that the format is maintained and it doesn't redirect to a route that has the same parameters but is defined earlier in `routes.rb`. Also any optional segments are maintained. Fixes #7528. Fixes #9061. Fixes #10305.
* Extracted redirect logic from ActionController::Force::ClassMethods.force_sslJeremy Friesen2012-05-311-0/+31
| | | | | | | | | | | | | Prior to this patch the existing .force_ssl method handles both defining the filter and handling the logic for performing the redirect. With this patch the logic for redirecting to the HTTPS protocol is separated from the filter logic that determines if a redirect should occur. By separating the two levels of behavior, an instance method for ActionController (i.e. #force_ssl_redirect) is exposed and available for more granular SSL enforcement. Cleaned up indentation.
* Tests :if option of force_ssl methodAlexey Vakhov2012-04-011-0/+23
|
* SSL should not be disabled by default in any environment.Pat Allan2012-02-231-14/+0
|
* Fixed force_ssl redirects to include original query paramsRyan McGeary2012-02-071-0/+6
| | | | | | | | | | `ActionController.force_ssl` redirects http URLs to their https equivalent; however, when a URL contains a query string, the resulting redirect lacked the original query string. Conflicts: actionpack/lib/action_controller/metal/force_ssl.rb
* Use performed? instead of checking for response_bodyCarlos Antonio da Silva2012-01-191-3/+0
| | | | | | * Check for performed? instead of response_body * Change performed? to return a boolean * Refactor AC::Metal#response_body= to reuse variable
* When force redirecting to SSL, make sure that the session is kept. As we're ↵Marcin Bunsch and Przemek Dąbek2012-01-121-1/+37
| | | | moving from a non-secure to secure environment, it's safe
* accept optional :host parameter to force_sslBen Scheirman2011-10-081-1/+21
|
* Add controller-specific `force_ssl` method to force web browser to use HTTPS ↵Prem Sichanugrist2011-03-281-0/+83
protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH.