I’m researching the best approach for implementing SSL to secure my rails app. The recommendation of the day seems to be to use SSL all the time. There seem to be two current ways of doing it:
-
Use a gem such as Rack::SSL or Rack::SslEnforcer, discussed in detail here:
http://collectiveidea.com/blog/archives/2010/11/29/ssl-with-rails/ -
Redirect at the webserver level, recommended here:
Rails + SSL: Per controller or application-wide?
I’m convinced that redirecting at the Apache level (assuming one is running Apache) must be the way to go, both to simplify implementation and performance.
What I don’t understand and haven’t seen addressed is why there is so much effort and attention devoted to doing it at the application layer using gems? There is even a comment from DHH (last comment in first link above) stating “Rails 3.1 will now have force_ssl baked in at both the app and controller level.” So what am I missing?
Why would one choose to use one of the gems to use SSL all the time?
One, it’s an easy standard for the Rails community to settle on. Now, whenever you want to require https for a Rails app, you can flip this single switch, and it’ll work regardless of what server or other architecture you might be using.
Two, if you’re on a hosting service like Heroku, you won’t have access to server configuration settings anyway.