Rails SSL Requirement plugin — shouldn't it check to see if you're in production mode before redirecting to https?

Question

Take a look at the ssl_requirement plugin.

Shouldn't it check to see if you're in production mode? We're seeing a redirect to https in development mode, which seems odd. Or is that the normal behavior for the plugin? I thought it behaved differently in the past.

Answer 1

I guess they believe that you should probably be using HTTPS (perhaps with a self-signed certificate) in development mode. If that's not the desired behaviour, there's nothing stopping you from special casing SSL behaviour in the development environment yourself:

class YourController < ApplicationController
  ssl_required :update unless Rails.env.development?
end

Answer 2

  def ssl_required?
    return false if local_request? || RAILS_ENV == 'test' || RAILS_ENV == 'development'
    super
  end

Answer 3

Ideally you should be testing that your application redirects to https during sensitive stages.

Answer 4

There isn't much point in requiring SSL in the development environment.

You can stub out the plugins ssl_required? method using Rails' built in mocking facilities.

Under your application root directory create a file test/mocks/development/application.rb

require 'controllers/application_controller'

class ApplicationController < ActionController::Base
  def ssl_required?
    false
  end
end

This way SSL is never required in the development environment.

Answer 5

actually, redirect over https is a webserver responsibility. Add extra request hash verification per each request into Rails is a overhead IMHO. I wrote nginx config, which include following rewrite:

rewrite ^(.*) https://$host$1 permanent;