-
Notifications
You must be signed in to change notification settings - Fork 5.5k
How To: Use SSL (HTTPS)
Using the SSL Requirement plugin:
For Devise 1.0, one way to do sign_in over SSL is:
# in app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
include SslRequirement
...
end
# in config/environment.rb
config.to_prepare do
SessionsController.ssl_required :new, :create
RegistrationsController.ssl_required :new, :create
end Devise 1.1 you need to do at the bottom:
Devise::SessionsController.ssl_required :new, :createIf the code above just requires ssl on the first request in development, you may need to move the last line to a config.to_prepare block inside config/application.rb or config/environment.rb:
config.to_prepare { SessionsController.ssl_required :new, :create }</code></pre>Rails 3.1 no longer needs the ssl_requirement gem. Just place this in your environment file:
#in config/environments/production.rb
config.to_prepare { Devise::SessionsController.force_ssl }
config.to_prepare { Devise::RegistrationsController.force_ssl }And make sure to enable SSL on the server (Nginx, Apache, etc.). If the servers are not configured properly, Rails will not recognize the request as SSL (even if it is), and cause an infinite redirect loop.
Avoid using SSL for all URLs, it's unnecessary performance impact for the browser and server. This gist ensures that user is redirected to the http:// URL after signing in and signing up.