Rails SSL Requirement plugin — shouldn't it check to see if you're in production mode before redirecting to https?
-
01-07-2019 - |
Question
Take a look at the ssl_requirement plugin.
Shouldn't it check to see if you're in production mode? We're seeing a redirect to https in development mode, which seems odd. Or is that the normal behavior for the plugin? I thought it behaved differently in the past.
Solution
I guess they believe that you should probably be using HTTPS (perhaps with a self-signed certificate) in development mode. If that's not the desired behaviour, there's nothing stopping you from special casing SSL behaviour in the development environment yourself:
class YourController < ApplicationController
ssl_required :update unless Rails.env.development?
end
OTHER TIPS
def ssl_required?
return false if local_request? || RAILS_ENV == 'test' || RAILS_ENV == 'development'
super
end
Ideally you should be testing that your application redirects to https during sensitive stages.
There isn't much point in requiring SSL in the development environment.
You can stub out the plugins ssl_required? method using Rails' built in mocking facilities.
Under your application root directory create a file test/mocks/development/application.rb
require 'controllers/application_controller'
class ApplicationController < ActionController::Base
def ssl_required?
false
end
end
This way SSL is never required in the development environment.
actually, redirect over https is a webserver responsibility. Add extra request hash verification per each request into Rails is a overhead IMHO. I wrote nginx config, which include following rewrite:
rewrite ^(.*) https://$host$1 permanent;