After reading this, it sounds like config.force_ssl = true should be the default, why did the rails team not make it default when creating a new app (inside config/environments/production.rb)?
Asked
Active
Viewed 1,224 times
1
Henry Yang
- 2,283
- 3
- 21
- 38
2 Answers
1
Because not all servers will use ssl. You need to set config.force_ssl = true only if you're using valid ssl cert.
Roman Kiselenko
- 43,210
- 9
- 91
- 103
1
You might be running a test instance in production mode on your local system, which might not require SSL. So it's better to let the user decide if they require SSL or not.
Ravi Teja Dandu
- 466
- 2
- 7
-
When you say user, do you mean the developer who use rails? – Henry Yang Sep 09 '18 at 23:45
-
1Yes. The person who develops the app. – Ravi Teja Dandu Sep 10 '18 at 05:16