Enable force_ssl=true in production by default

I will admit to deploying an app into production and leaving it there for weeks before realizing that authenticated traffic was being transported un-secured HTTP. I'd been operating under the false assumption that `config.force_ssl` would be `true` in production by default for new apps.

Suggesting this change to gauge interest and start a conversation. Since this option was introduced, the state of the web has really changed with Let's Encrypt certificates, and HTTPS has become table stakes for most hosting services. It feels like the time is right to enable Strict-Transport-Security by default for new apps.

Co-authored-by: Aaron Patterson <[email protected]>
Co-authored-by: Guillermo Iguaran <[email protected]>
Co-authored-by: vinibispo <[email protected]>

Author: 4 people

railties/CHANGELOG.md

@@ -1,3 +1,8 @@
+*   Enable force_ssl=true in production by default: Force all access to the app over SSL,
+    use Strict-Transport-Security, and use secure cookies
+
+    *Justin Searls*, *Aaron Patterson*, *Guillermo Iguaran*, *Vinícius Bispo*
+
 *   Add engine's draw paths to application route set, so that the application
     can draw route files defined in engine paths.
 

railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt

@@ -57,7 +57,7 @@ Rails.application.configure do
   # config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Log to STDOUT by default
   config.logger = ActiveSupport::Logger.new(STDOUT)

railties/test/application/asset_debugging_test.rb

@@ -49,7 +49,7 @@ def teardown
       class ::PostsController < ActionController::Base ; end
 
       # the debug_assets params isn't used if compile is off
-      get "/posts?debug_assets=true"
+      get("/posts?debug_assets=true", {}, "HTTPS" => "on")
       assert_match(/<script src="\/assets\/application-([0-z]+)\.js"><\/script>/, last_response.body)
       assert_no_match(/<script src="\/assets\/xmlhr-([0-z]+)\.js"><\/script>/, last_response.body)
     end
@@ -62,7 +62,7 @@ class ::PostsController < ActionController::Base ; end
 
       class ::PostsController < ActionController::Base ; end
 
-      get "/posts?debug_assets=true"
+      get("/posts?debug_assets=true", {}, "HTTPS" => "on")
       assert_match(/<script src="\/assets\/application(\.debug|\.self)?-([0-z]+)\.js(\?body=1)?"><\/script>/, last_response.body)
     end
 

railties/test/application/assets_test.rb

@@ -263,7 +263,7 @@ class User < ActiveRecord::Base; raise 'should not be reached'; end
 
       # Checking if Uglifier is defined we can know if Sprockets was reached or not
       assert_not defined?(Uglifier)
-      get "/assets/#{asset_path}"
+      get("/assets/#{asset_path}", {}, "HTTPS" => "on")
       assert_match "alert()", last_response.body
       assert_not defined?(Uglifier)
     end
@@ -348,7 +348,7 @@ class User < ActiveRecord::Base; raise 'should not be reached'; end
       # Load app env
       app "production"
 
-      get "/assets/demo.js"
+      get("/assets/demo.js", {}, "HTTPS" => "on")
       assert_equal 404, last_response.status
     end
 
@@ -410,7 +410,7 @@ def index
       class ::PostsController < ActionController::Base ; end
 
       # the debug_assets params isn't used if compile is off
-      get "/posts?debug_assets=true"
+      get("/posts?debug_assets=true", {}, "HTTPS" => "on")
       assert_match(/<script src="\/assets\/application-([0-z]+)\.js"><\/script>/, last_response.body)
       assert_no_match(/<script src="\/assets\/xmlhr-([0-z]+)\.js"><\/script>/, last_response.body)
     end

railties/test/application/loading_test.rb

@@ -446,7 +446,7 @@ def show
     require "rack/test"
     extend Rack::Test::Methods
 
-    get "/omg/show"
+    get("/omg/show", {}, "HTTPS" => "on")
     assert_equal "Query cache is enabled.", last_response.body
   end
 

railties/test/application/mailer_previews_test.rb

@@ -26,14 +26,14 @@ def teardown
 
     test "/rails/mailers is not accessible in production" do
       app("production")
-      get "/rails/mailers"
+      get("/rails/mailers", {}, { "HTTPS" => "on" })
       assert_equal 404, last_response.status
     end
 
     test "/rails/mailers is accessible with correct configuration" do
       add_to_config "config.action_mailer.show_previews = true"
       app("production")
-      get "/rails/mailers", {}, { "REMOTE_ADDR" => "4.2.42.42" }
+      get "/rails/mailers", {}, { "REMOTE_ADDR" => "4.2.42.42", "HTTPS" => "on" }
       assert_equal 200, last_response.status
     end
 

railties/test/application/middleware/cache_test.rb

@@ -10,6 +10,9 @@ def setup
       build_app
       require "rack/test"
       extend Rack::Test::Methods
+
+      add_to_env_config "production", "config.cache_store = :memory_store"
+      add_to_env_config "production", "config.action_dispatch.rack_cache = true"
     end
 
     def teardown
@@ -56,7 +59,7 @@ def test_cache_keeps_if_modified_since
       simple_controller
       expected = "Wed, 30 May 1984 19:43:31 GMT"
 
-      get "/expires/keeps_if_modified_since", {}, { "HTTP_IF_MODIFIED_SINCE" => expected }
+      get "/expires/keeps_if_modified_since", {}, { "HTTP_IF_MODIFIED_SINCE" => expected, "HTTPS" => "on" }
 
       assert_equal 200, last_response.status
       assert_equal expected, last_response.body, "cache should have kept If-Modified-Since"
@@ -79,15 +82,13 @@ def test_cache_is_disabled_in_dev_mode
     def test_cache_works_with_expires
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_header"
+      get "/expires/expires_header", {}, { "HTTPS" => "on" }
       assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
       assert_equal "max-age=10, public", last_response.headers["Cache-Control"]
 
       body = last_response.body
 
-      get "/expires/expires_header"
+      get "/expires/expires_header", {}, { "HTTPS" => "on" }
 
       assert_equal "fresh", last_response.headers["X-Rack-Cache"]
 
@@ -97,31 +98,27 @@ def test_cache_works_with_expires
     def test_cache_works_with_expires_private
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_header", private: true
+      get "/expires/expires_header", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",                last_response.headers["X-Rack-Cache"]
       assert_equal "private, max-age=10", last_response.headers["Cache-Control"]
 
       body = last_response.body
 
-      get "/expires/expires_header", private: true
+      get "/expires/expires_header", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",           last_response.headers["X-Rack-Cache"]
       assert_not_equal body,         last_response.body
     end
 
     def test_cache_works_with_etags
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_etag"
-      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
+      get "/expires/expires_etag", {}, { "HTTPS" => "on" }
       assert_equal "public", last_response.headers["Cache-Control"]
+      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
 
       etag = last_response.headers["ETag"]
 
-      get "/expires/expires_etag", {}, { "HTTP_IF_NONE_MATCH" => etag }
+      get "/expires/expires_etag", {}, { "HTTP_IF_NONE_MATCH" => etag, "HTTPS" => "on" }
       assert_equal "stale, valid, store", last_response.headers["X-Rack-Cache"]
       assert_equal 304, last_response.status
       assert_equal "", last_response.body
@@ -130,32 +127,28 @@ def test_cache_works_with_etags
     def test_cache_works_with_etags_private
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_etag", private: true
+      get "/expires/expires_etag", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",                                last_response.headers["X-Rack-Cache"]
       assert_equal "must-revalidate, private, max-age=0", last_response.headers["Cache-Control"]
 
       body = last_response.body
       etag = last_response.headers["ETag"]
 
-      get "/expires/expires_etag", { private: true }, { "HTTP_IF_NONE_MATCH" => etag }
+      get "/expires/expires_etag", { private: true }, { "HTTP_IF_NONE_MATCH" => etag, "HTTPS" => "on" }
       assert_equal "miss", last_response.headers["X-Rack-Cache"]
       assert_not_equal body,   last_response.body
     end
 
     def test_cache_works_with_last_modified
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_last_modified"
-      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
+      get "/expires/expires_last_modified", {}, { "HTTPS" => "on" }
       assert_equal "public", last_response.headers["Cache-Control"]
+      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
 
       last = last_response.headers["Last-Modified"]
 
-      get "/expires/expires_last_modified", {}, { "HTTP_IF_MODIFIED_SINCE" => last }
+      get "/expires/expires_last_modified", {}, { "HTTP_IF_MODIFIED_SINCE" => last, "HTTPS" => "on" }
       assert_equal "stale, valid, store", last_response.headers["X-Rack-Cache"]
       assert_equal 304, last_response.status
       assert_equal "", last_response.body
@@ -164,16 +157,14 @@ def test_cache_works_with_last_modified
     def test_cache_works_with_last_modified_private
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_last_modified", private: true
+      get "/expires/expires_last_modified", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",                                last_response.headers["X-Rack-Cache"]
       assert_equal "must-revalidate, private, max-age=0", last_response.headers["Cache-Control"]
 
       body = last_response.body
       last = last_response.headers["Last-Modified"]
 
-      get "/expires/expires_last_modified", { private: true }, { "HTTP_IF_MODIFIED_SINCE" => last }
+      get "/expires/expires_last_modified", { private: true }, { "HTTP_IF_MODIFIED_SINCE" => last, "HTTPS" => "on" }
       assert_equal "miss", last_response.headers["X-Rack-Cache"]
       assert_not_equal body,   last_response.body
     end

railties/test/application/middleware/exceptions_test.rb

@@ -26,7 +26,7 @@ def index
       RUBY
 
       log = capture(:stdout) do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
         assert_equal 500, last_response.status
       end
 
@@ -43,12 +43,12 @@ def index
         end
       RUBY
 
-      get "/foo"
+      get "/foo", {}, { "HTTPS" => "on" }
       assert_equal 404, last_response.status
     end
 
     test "renders unknown http methods as 405" do
-      request "/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD" }
+      request("/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD", "HTTPS" => "on" })
       assert_equal 405, last_response.status
     end
 
@@ -62,7 +62,7 @@ def index
 
       app.config.action_dispatch.show_exceptions = :all
 
-      request "/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD" }
+      request "/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD", "HTTPS" => "on" }
       assert_equal 405, last_response.status
     end
 
@@ -90,7 +90,7 @@ def not_acceptable
       add_to_config "config.action_dispatch.show_exceptions = :all"
       add_to_config "config.consider_all_requests_local = false"
 
-      get "/foo", {}, { "HTTP_ACCEPT" => "invalid" }
+      get "/foo", {}, { "HTTP_ACCEPT" => "invalid", "HTTPS" => "on" }
       assert_equal 406, last_response.status
       assert_not_equal "rendering index!", last_response.body
     end
@@ -104,7 +104,7 @@ def not_acceptable
 
       app.config.action_dispatch.show_exceptions = :all
 
-      get "/foo"
+      get("/foo", {}, "HTTPS" => "on")
       assert_equal 404, last_response.status
       assert_equal "YOU FAILED", last_response.body
     end
@@ -120,23 +120,23 @@ def index
 
       app.config.action_dispatch.show_exceptions = :all
 
-      get "/foo"
+      get("/foo", {}, "HTTPS" => "on")
       assert_equal 500, last_response.status
     end
 
     test "unspecified route when action_dispatch.show_exceptions is not set raises an exception" do
       app.config.action_dispatch.show_exceptions = :none
 
       assert_raise(ActionController::RoutingError) do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
       end
     end
 
     test "unspecified route when action_dispatch.show_exceptions is set shows 404" do
       app.config.action_dispatch.show_exceptions = :all
 
       assert_nothing_raised do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
         assert_match "The page you were looking for doesn't exist.", last_response.body
       end
     end
@@ -146,7 +146,7 @@ def index
       app.config.consider_all_requests_local = true
 
       assert_nothing_raised do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
         assert_match "No route matches", last_response.body
       end
     end
@@ -161,7 +161,7 @@ def index
       app.config.action_dispatch.show_exceptions = :all
       app.config.consider_all_requests_local = true
 
-      get "/articles"
+      get("/articles", {}, "HTTPS" => "on")
       assert_match "<title>Action Controller: Exception caught</title>", last_response.body
     end
 
@@ -181,7 +181,7 @@ def index
         ✓測試テスト시험
       ERB
 
-      get "/foo", utf8: "✓"
+      get("/foo", { utf8: "✓" }, { "HTTPS" => "on" })
       assert_match(/boooom/, last_response.body)
       assert_match(/測試テスト시험/, last_response.body)
     end
@@ -197,7 +197,7 @@ def index
       app.config.action_dispatch.show_exceptions = :all
       app.config.consider_all_requests_local = true
 
-      get "/foo?x[y]=1&x[y][][w]=2"
+      get "/foo?x[y]=1&x[y][][w]=2", {}, "HTTPS" => "on"
       assert_equal 400, last_response.status
       assert_match "Invalid query parameters", last_response.body
     end
@@ -216,7 +216,7 @@ def index
       limit = Rack::Utils.param_depth_limit + 1
       malicious_url = "/foo?#{'[test]' * limit}=test"
 
-      get malicious_url
+      get(malicious_url, {}, "HTTPS" => "on")
       assert_equal 400, last_response.status
       assert_match "Invalid query parameters", last_response.body
     end
@@ -233,12 +233,12 @@ def index
       app.config.consider_all_requests_local = true
       app.config.action_dispatch.ignore_accept_header = false
 
-      get "/foo"
+      get("/foo", {}, "HTTPS" => "on")
       assert_equal 500, last_response.status
       assert_match "<title>Action Controller: Exception caught</title>", last_response.body
       assert_match "ActiveRecord::StatementInvalid", last_response.body
 
-      get "/foo", {}, { "HTTP_ACCEPT" => "text/plain", "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest" }
+      get "/foo", {}, { "HTTP_ACCEPT" => "text/plain", "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest", "HTTPS" => "on" }
       assert_equal 500, last_response.status
       assert_equal "text/plain", last_response.media_type
       assert_match "ActiveRecord::StatementInvalid", last_response.body
@@ -255,7 +255,7 @@ def index
 
       app.config.action_dispatch.show_exceptions = :rescuable
 
-      get "/foo"
+      get "/foo", {}, { "HTTPS" => "on" }
       assert_equal 404, last_response.status
     end
 
@@ -270,7 +270,7 @@ def index
 
       app.config.action_dispatch.show_exceptions = :rescuable
 
-      error = assert_raises(RuntimeError) { get "/foo" }
+      error = assert_raises(RuntimeError) { get("/foo", {}, { "HTTPS" => "on" }) }
       assert_equal "oops", error.message
     end
   end