Darth Sid » SSL http://darthsid.com/blog "Powered by The Dark Side" Tue, 06 Apr 2010 08:48:28 +0000 en hourly 1 http://wordpress.org/?v=3.1.2 SSL checklist for Rails Applications http://darthsid.com/blog/2010/03/29/ssl-checklist-for-rails-applications/ http://darthsid.com/blog/2010/03/29/ssl-checklist-for-rails-applications/#comments Mon, 29 Mar 2010 13:34:39 +0000 Sid http://darthsid.com/blog/?p=126 The purpose of SSL is to provide a reasonable level of protection against eavesdropping and man-in-the-middle attacks. Although SSL provides a greater level of security, it introduces a lot of overheads and hence should be used sparingly. Two of the most common places to use SSL is for payment transactions and user registration/login.
This post intentionally focuses only on the Rails application as there are numerous post on the net for SSL setup on the server. Enabling SSL in a Rails application is really trivial and there are just a few points that need your attention..

1. Enabling SSL
a. Install the ssl_requirment plugin:

./script/plugin install git://github.com/rails/ssl_requirement.git

b. Include it in your application_controller.rb:

include SslRequirement

c. Specify actions that require SSL in their respective controllers. For eg. my session controller has the following line:

ssl_required  :new, :create

d. Add the following line in development.rb to bypass SSL in development mode:

SslRequirement.disable_ssl_check = true

2. Gotcha’s
a. Include all submit actions in requirement
Any action that processes form data from a SSL page should also be added to the requirement. In the above example, the form on the login page(new action) is processed by the create action and hence it is also included in the requirement.
b. Ajax actions
Ajax actions on a SSL page should also use SSL and must be included in the requirement. At times you do not have a body for the Ajax action and it is rendered using it’s respective RJS template. In such cases create an empty action and include it in the ssl_requirement.
c. Mixed content
A lot of browsers show you a “Mixed Content Warning” if your SSL page references non-SSL assets. IE displays a scary looking confirmation dialog while Firefox and Chrome show a exclamation in the url bar. Any relative paths(eg. using _path helpers) on the page will automatically use the https protocol but any absolute paths(eg. using _url helper or by manually specifying as a string in link_to) will need to be changed to use https.
d. Asset host issue
If you are using Rails asset hosts and do not have a SSL certificate that supports wildcard(for subdomains), then you need to disable them for the SSL pages. Just add the following code to your production.rb:

ActionController::Base.asset_host = Proc.new { |source, request|
  if request.ssl?
    "#{request.protocol}#{request.host_with_port}"
  else
    "#{request.protocol}assets%d.yourdomain.com" % (source.hash % 4)
  end
}

Replace “yourdomain” with your apps domain and “4″ with the number of asset hosts required.

The above should ensure that you have a proper SSL setup without displaying warnings to the user.

]]> http://darthsid.com/blog/2010/03/29/ssl-checklist-for-rails-applications/feed/ 2