From ee82d8a8761f0bedc97f5e79565b7c5142c1b8bd Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Sat, 22 Apr 2017 22:22:22 -0400 Subject: [PATCH] Move force_ssl check to production config (#2165) The force_ssl method from controllers does not add all of the options that the sitewide configuration in a config block does. For example, HSTS enforcement is not added by the controller method, but is added by this style. --- app/controllers/application_controller.rb | 2 -- config/environments/production.rb | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a1b9b985c..92755bcd3 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -5,8 +5,6 @@ class ApplicationController < ActionController::Base # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception - force_ssl if: "Rails.env.production? && ENV['LOCAL_HTTPS'] == 'true'" - include Localized helper_method :current_account diff --git a/config/environments/production.rb b/config/environments/production.rb index eff4c293f..cf4b3e7f9 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -108,6 +108,7 @@ Rails.application.configure do config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym + config.force_ssl = (ENV['LOCAL_HTTPS'] == 'true') config.react.variant = :production