What does force_ssl do in Rails?

It doesn't just force your browser to redirect HTTP to HTTPS. It also sets your cookies to be marked "secure", and it enables HSTS, each of which are very good protections against SSL stripping.

Even though HTTPS protects your app at "https://example.com/yourapp" against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit "http://example.com/yourapp". With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.

Setting config.force_ssl includes ActionDispatch::SSL. The ActionDispatch::SSL docs describe the functionality as follows (emphases added for clarity):

See the includes here and the docs for ActionDispatch::SSL here.

DOCS

This middleware is added to the stack when config.force_ssl = true, and is passed the options set in config.ssl_options. It does three jobs to enforce secure HTTP requests:

1. TLS redirect: Permanently redirects http:// requests to https://with the same URL host, path, etc. Enabled by default. Set config.ssl_optionsto modify the destination URL(e.g. redirect: { host: "secure.widgets.com", port: 8080 }), or setredirect: false to disable this feature.

2. Secure cookies: Sets the secure flag on cookies to tell browsers theymustn't be sent along with http:// requests. Enabled by default. Setconfig.ssl_options with secure_cookies: false to disable this feature.

3. HTTP Strict Transport Security (HSTS): Tells the browser to rememberthis site as TLS-only and automatically redirect non-TLS requests.Enabled by default. Configure config.ssl_options with hsts: false to disable.Set config.ssl_options with hsts: { … } to configure HSTS:

   • expires: How long, in seconds, these settings will stick. Defaults to180.days (recommended). The minimum required to qualify for browserpreload lists is 18.weeks.
   • subdomains: Set to true to tell the browser to apply these settingsto all subdomains. This protects your cookies from interception by avulnerable site on a subdomain. Defaults to true.
   • preload: Advertise that this site may be included in browsers'preloaded HSTS lists. HSTS protects your site on every visit except thefirst visit since it hasn't seen your HSTS header yet. To close thisgap, browser vendors include a baked-in list of HSTS-enabled sites.Go to https://hstspreload.appspot.com to submit your site for inclusion.To turn off HSTS, omitting the header is not enough. Browsers will remember the original HSTS directive until it expires. Instead, use the header to tell browsers to expire HSTS immediately. Setting hsts: false is a shortcut for hsts: { expires: 0 }.

Requests can opt-out of redirection with exclude:

config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }

This setting forces HTTPS by redirecting HTTP requests to their HTTPS counterparts. So a browser visiting http://domain.com/path will be redirected to https://domain.com/path.

Leaving the setting commented out would allow both protocols.

You still have to configure your web server to handle HTTPS requests.