Force SSL and url encryption in rails - ruby-on-rails

In a rails app I am setting
config.force_ssl=true
This is working great, but I am concerned about a situation where a gem I am using redirects to a url in the following format:
http://example.com/secure_url?secret_token=abc
Rails then redirects to
https://example.com/secure_url?secret_token=abc
However, I'm worried that the secret_token will be exposed during the original http request before it is redirected to a secure connection. Is this a legitimate security concern?

Related

Can I switch off redirection from http to https, but still use forse_ssl(config.forse_ssl = true) to generate URLs/assets with https protocol?

I'm trying to use AWS CloudFront with Rails Application and when I am using config.forse_ssl = true the web site are crushing as CloudFront has redirections and rails app has redirections.
When I am switching off forse_ssl=false then web site works fine except Ajax requests as all of the ajax requests is not secure anymore.
Could somebody suggest how to fix that issue? How to switch off redirection to https, but still generate secure urls?

Rails and Devise: set Secure flag when requested via HTTPS, don't set Secure flag when not requested via HTTPS

I manage a Rails 4.2 application which runs dual stack: SSL and Non-SSL. I'd like to set the Secure flag for cookies when the resource is requested via HTTPS and I want to leave out the flag when the resource is requested via plain HTTP.
Is there a way to achieve this in Rails (session cookie, cookies sent manually in the Code)? And especially when using Devise with rememberable enabled.
I know this is a late response, but I'm currently looking into the same thing and it seems https://github.com/mobalean/devise_ssl_session_verifiable should automate this for you, although it uses a different approach (regular session cookie over http + https, but an additional secure cookie in https, so that someone hijacking your session cannot access your https-only resources.

How do i know if my data is really been transmitted using SSL on Heroku?

Here is my cenario:
I have an Rails app on Heroku and i'm forcing it to use HTTPS (Using this tutorial: http://simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/) .
I created a POST form, and its the action is "/my-action"
How do i know if my data is really been transmitted using SSL ? I mean, the form action shouldn't "https://mywebsite.herokuapp.com/my-action" ?
Some considerations:
* I'm using the free heroku SSL (https://myapp.herokuaapp.com )
* This app is not using the heroku SSL endpoint addon
Thanks
if you have valid ssl certificate and encryption key, then you only your data is accepted via ssl. Simply redirecting your website to use https protocol doesn't encrypt your data flow. And, this is what you were doing it. Right now, you are using heroku which does provide free SSL service if you use its domain.
So, if your website can be accessible via https://myapp.herokuapp.com and browser isn't giving any warning..then you are using SSL service.
This isn't applied if for custom domains. Your custom domain will still be accessible with https://www.example.com but it it SSL enabled.

omniauth openid invalid credentials

I am using omniauth and logging into google and yahoo using the open_id strategy. This was working fine, until I enabled SSL on my site. There was a couple issues. First the URL's being generated were still pointing at http instead of https. I fixed that using a monkey patch from other posts(Omniauth and open_id with Google broken when running behind nginx in SSL mode, OpenID for rails app behind Apache)
Now it seems like the URLs are okay, but now I always get invalid credentials failure. I am using nginx and unicorn and hosting on EC2, if any of that is relevant. I see this in my unicorn logs:
(google) Request phase initiated.
WARNING: making https request to https://www.google.com/accounts/o8/id without verifying server certificate; no CA path was specified.
Generated checkid_setup request to https://www.google.com/accounts/o8/ud with assocication ...
(google) Callback phase initiated.
(google) Authentication failure! invalid_credentials encountered.
*Note I remove the association above because I was not sure if thats some private key or something.
Also, I see google posting to my callback "/auth/google/callback".
Finally, about the warning about making a request without verifying server certificate, I saw in another post that I should add this:
require "openid/fetchers"
OpenID.fetcher.ca_file = "/etc/ssl/certs/ca-certificates.crt"
which I did, and the messages go away but does not fix my problem. Am I supposed to point this to my ssl certificates instead?
Just confused about what is going on and not finding good logging output to identify the problem...

Rails Devise SSL Session Mix Up on Production

I've deployed my app on to a Ubuntu VPS using Capistrano, nginx/
Passenger and a wildcard SSL certificate.
The app works fine on development and my staging environment on
Heroku.
However, there are two problems on production when users sign into the
site using a secure page.
On latest Chrome and Firefox the browsers start to enforce HTTPS
requests on every single request every time. Regardless if the user is
signed in or not. Even if I disable SSL on nginx the browser still attempts HTTPS and complains it cannot connect. The main page serves some insecure dynamic embedded
items and uses an insecure CDN so I would like to serve that page as non-
SSL. Whenever I tried to redirect a page to non-SSL either through
nginx rewrite or a before filter in Rails it will cause an infinite
redirect loop.
Safari does not have the first problem as above it respects both
HTTPS and HTTP requests. However, when the user has logged in and
browses to a non-SSL page they are signed out or lose the session
instantly.
Has anyone encountered such a problem before or have an idea on how I could diagnose/fix the problem?
Thanks
Were you using Rails 3.1 force_ssl to enable SSL, or a gem?
When you enabled HTTPS, you also enabled the the HTTP Strict Transport Security flag, which the browse uses to immediately go to any HTTPS page on that domain before it sends the request to the server.
On Chrome, enter chrome://net-internals/#hsts into your browser and then you can delete your domain from the HSTS list which should fix it for Chrome. Can't speak for Firefox as I don't use it that often.
The issue with it losing session is likely because Rails is setting the authentication cookie as secure which means they are only sent for HTTPS requests and not HTTP. Make sure your cookie_options in Rails are not setting :secure => true. Also check the Devise cookie_options setting to ensure that :secure => true isn't being set.

Resources