rails--rails/actionpack/lib/action_controller/metal/force_ssl.rb

module ActionController
  # This module provides a method which will redirect browser to use HTTPS
  # protocol. This will ensure that user's sensitive information will be
  # transferred safely over the internet. You _should_ always force browser
  # to use HTTPS when you're transferring sensitive information such as
  # user authentication, account information, or credit card information.
  #
  # Note that if you are really concerned about your application security,
  # you might consider using +config.force_ssl+ in your config file instead.
  # That will ensure all the data transferred via HTTPS protocol and prevent
  # user from getting session hijacked when accessing the site under unsecured
  # HTTP protocol.
  module ForceSSL
    extend ActiveSupport::Concern
    include AbstractController::Callbacks

    module ClassMethods
      # Force the request to this particular controller or specified actions to be
      # under HTTPS protocol.
      #
      # If you need to disable this for any reason (e.g. development) then you can use
      # an +:if+ or +:unless+ condition.
      #
      #     class AccountsController < ApplicationController
      #       force_ssl :if => :ssl_configured?
      #
      #       def ssl_configured?
      #         !Rails.env.development?
      #       end
      #     end
      #
      # ==== Options
      # * <tt>host</tt>   - Redirect to a different host name
      # * <tt>only</tt>   - The callback should be run only for this action
      # * <tt>except<tt>  - The callback should be run for all actions except this action
      # * <tt>if</tt>     - A symbol naming an instance method or a proc; the callback
      #                     will be called only when it returns a true value.
      # * <tt>unless</tt> - A symbol naming an instance method or a proc; the callback
      #                     will be called only when it returns a false value.
      def force_ssl(options = {})
        host = options.delete(:host)
        before_filter(options) do
          force_ssl_redirect(host)
        end
      end
    end

    # Redirect the existing request to use the HTTPS protocol.
    #
    # ==== Parameters
    # * <tt>host</tt> - Redirect to a different host name
    def force_ssl_redirect(host = nil)
      unless request.ssl?
        redirect_options = {:protocol => 'https://', :status => :moved_permanently}
        redirect_options.merge!(:host => host) if host
        redirect_options.merge!(:params => request.query_parameters)
        flash.keep if respond_to?(:flash)
        redirect_to redirect_options
      end
    end
  end
end
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`module ActionController`
fix minor spelling mistakes in comments 2011-05-24 01:40:29 -04:00			`# This module provides a method which will redirect browser to use HTTPS`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`# protocol. This will ensure that user's sensitive information will be`
			`# transferred safely over the internet. You _should_ always force browser`
			`# to use HTTPS when you're transferring sensitive information such as`
			`# user authentication, account information, or credit card information.`
			`#`
fix minor spelling mistakes in comments 2011-05-24 01:40:29 -04:00			`# Note that if you are really concerned about your application security,`
			`# you might consider using +config.force_ssl+ in your config file instead.`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`# That will ensure all the data transferred via HTTPS protocol and prevent`
			`# user from getting session hijacked when accessing the site under unsecured`
			`# HTTP protocol.`
			`module ForceSSL`
			`extend ActiveSupport::Concern`
			`include AbstractController::Callbacks`

			`module ClassMethods`
			`# Force the request to this particular controller or specified actions to be`
			`# under HTTPS protocol.`
			`#`
Update documentation for force_ssl - closes #5023. 2012-02-23 07:57:36 -05:00			`# If you need to disable this for any reason (e.g. development) then you can use`
			`# an +:if+ or +:unless+ condition.`
			`#`
			`# class AccountsController < ApplicationController`
			`# force_ssl :if => :ssl_configured?`
			`#`
			`# def ssl_configured?`
			`# !Rails.env.development?`
			`# end`
			`# end`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`#`
			`# ==== Options`
Document the :host option for force_ssl 2012-02-23 08:34:44 -05:00			`# * <tt>host</tt> - Redirect to a different host name`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`# * <tt>only</tt> - The callback should be run only for this action`
			`# * <tt>except<tt> - The callback should be run for all actions except this action`
Update documentation for force_ssl - closes #5023. 2012-02-23 07:57:36 -05:00			`# * <tt>if</tt> - A symbol naming an instance method or a proc; the callback`
			`# will be called only when it returns a true value.`
			`# * <tt>unless</tt> - A symbol naming an instance method or a proc; the callback`
			`# will be called only when it returns a false value.`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`def force_ssl(options = {})`
accept optional :host parameter to force_ssl 2011-10-08 19:38:02 -04:00			`host = options.delete(:host)`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`before_filter(options) do`
Extracted redirect logic from ActionController::Force::ClassMethods.force_ssl Prior to this patch the existing .force_ssl method handles both defining the filter and handling the logic for performing the redirect. With this patch the logic for redirecting to the HTTPS protocol is separated from the filter logic that determines if a redirect should occur. By separating the two levels of behavior, an instance method for ActionController (i.e. #force_ssl_redirect) is exposed and available for more granular SSL enforcement. Cleaned up indentation. 2012-05-31 10:06:17 -04:00			`force_ssl_redirect(host)`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`end`
			`end`
			`end`
Extracted redirect logic from ActionController::Force::ClassMethods.force_ssl Prior to this patch the existing .force_ssl method handles both defining the filter and handling the logic for performing the redirect. With this patch the logic for redirecting to the HTTPS protocol is separated from the filter logic that determines if a redirect should occur. By separating the two levels of behavior, an instance method for ActionController (i.e. #force_ssl_redirect) is exposed and available for more granular SSL enforcement. Cleaned up indentation. 2012-05-31 10:06:17 -04:00
			`# Redirect the existing request to use the HTTPS protocol.`
			`#`
			`# ==== Parameters`
			`# * <tt>host</tt> - Redirect to a different host name`
			`def force_ssl_redirect(host = nil)`
			`unless request.ssl?`
			`redirect_options = {:protocol => 'https://', :status => :moved_permanently}`
			`redirect_options.merge!(:host => host) if host`
			`redirect_options.merge!(:params => request.query_parameters)`
			`flash.keep if respond_to?(:flash)`
			`redirect_to redirect_options`
			`end`
			`end`
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action. This featured was requested by DHH. 2011-03-27 15:05:14 -04:00			`end`
accept optional :host parameter to force_ssl 2011-10-08 19:38:02 -04:00			`end`