force_ssl 在 Rails 中有什么作用? [英] What does force_ssl do in Rails?

问题描述

在之前的问题中 我发现我应该设置 nginx ssl 终止，而不是让 Rails 处理加密数据.

In a previous question I found out that I should be setting nginx ssl termination and not having Rails process encrypted data.

那为什么会存在以下情况?

Then why does the following exist?

config.force_ssl = true

我看到这个在生产配置文件中被注释掉了.但是，如果期望 nginx 将处理所有 ssl 内容，以便我的 Rails 应用程序不处理加密数据，那么 config.force_ssl = true 会做什么?

I see this commented out in the production config file. But if the expectation is that nginx will handle all the ssl stuff so that my rails app doesn't deal with encrypted data then what does config.force_ssl = true do?

如果我知道我将一直使用 nginx，我是否应该在生产中将其注释掉?

Should I leave it commented out in production if I know I will always be using nginx?

推荐答案

它不只是强制您的浏览器将 HTTP 重定向到 HTTPS.它还将您的 cookie 设置为标记为安全"，并启用 HSTS，每个都是非常好的防止 SSL 剥离的保护.

It doesn't just force your browser to redirect HTTP to HTTPS. It also sets your cookies to be marked "secure", and it enables HSTS, each of which are very good protections against SSL stripping.

即使 HTTPS 在https://example.com/yourapp"上保护您的应用免受 MITM 攻击，如果有人在你的客户端和你的服务器之间，他们可以很容易地让你访问 "http://example.com/yourapp".如果没有上述任何一种保护措施，您的浏览器将很乐意将会话 cookie 发送给执行 MITM 的人.

Even though HTTPS protects your app at "https://example.com/yourapp" against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit "http://example.com/yourapp". With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.

这篇关于force_ssl 在 Rails 中有什么作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！