Enhancing Security in Ruby on Rails - SSL Enforcement by Default

While developing web apps, the security of the apps is of prime importance, especially with the apps that handle the sensitive data of users. The use of SSL(Secure Sockets Layer) is very critical for web application security. It is a protocol that provides secure communication over the Internet.

In this blog, we will go through the use of SSL, the default behavior of SSL enforcement in earlier versions of Rails, and the change introduced in Rails 7.1 that alters the default behavior in the production.rb file.

SSL: A brief overview

SSL is a security protocol for encrypting data sent between the client(web browser) and the server. It protects information such as user identity, credit card details, and personal data.

In Rails applications, the config.force_ssl setting in the production.rb file is used to enforce the use of SSL for incoming requests when the app is running in the production environment.

Before: The default behavior

In earlier versions of Rails, the config.force_ssl was commented out and not explicitly set. Therefore, the application would work over both HTTP and HTTPS if the SSL certificate was configured.

Let’s consider an example to understand this behaviour. I have setup a sample app, and the config_force_ssl is commented out. Now, If I visit the root path with HTTP, it renders the view. From the address bar, we can also observe that the HTTP(Not secure) was used when making the request.

After: The default behavior

Starting from Rails 7.1, there has been a change in the default behavior. The config.force_ssl setting in production.rb will be set to true by default.

As a result, all incoming requests in the production environment will be automatically redirected to their HTTPS URL, ensuring secure data communication.

We can illustrate this change with an example. I have setup a Rails 7.1 app, and the config_force_ssl is set to true by default. In the images attached below we can see that we made a request using HTTP, but it was automatically redirected to the HTTPS.

However, please note that the page was not loaded because we don’t have an SSL certifcate, else this error won’t be shown here.

Need help on your Ruby on Rails or React project?

Join Our Newsletter