- 30 3月, 2018 1 次提交
-
-
由 Derek Prior 提交于
Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
-
- 26 3月, 2018 1 次提交
-
-
由 Isaac Orme 提交于
-
- 12 3月, 2018 1 次提交
-
-
由 Yauheni Dakuka 提交于
-
- 28 11月, 2017 1 次提交
-
-
由 Dixit Patel 提交于
-
- 25 10月, 2017 1 次提交
-
-
由 willnet 提交于
-
- 09 10月, 2017 1 次提交
-
-
由 Yoshiyuki Hirano 提交于
-
- 06 10月, 2017 1 次提交
-
-
由 Yauheni Dakuka 提交于
-
- 20 9月, 2017 1 次提交
-
-
由 Claudio B 提交于
According to #30067: > This PR will deprecate secrets.yml* and instead adopt > config/credentials.yml.enc to signify what these secrets are specifically > for: Keeping API keys, database passwords, and any other integration > credentials in one place. [ci skip] since only comments are being edited.
-
- 19 9月, 2017 1 次提交
-
-
由 Yauheni Dakuka 提交于
-
- 14 9月, 2017 1 次提交
-
-
由 Kasper Timm Hansen 提交于
Removes most mentions of secrets.secret_key_base and explains credentials instead. Also removes some very stale upgrade notices about Rails 3/4.
-
- 23 8月, 2017 1 次提交
-
-
由 Yoshiyuki Hirano 提交于
-
- 12 7月, 2017 1 次提交
-
-
由 Yuki Nishijima 提交于
-
- 22 5月, 2017 1 次提交
-
-
由 dixpac 提交于
When define callbacks latest definition on the same callback/method overwrites previous ones.
-
- 30 3月, 2017 1 次提交
-
-
由 Jon Moss 提交于
Add comma and change verb. [ci skip]
-
- 29 3月, 2017 1 次提交
-
-
由 Frederik Wille 提交于
Adds a hint that ``after_action``-callbacks are not executed when an exception was raised in the rest of the request cycle. The ``before_action`` section mentions "If there are additional filters scheduled to run after that filter, they are also cancelled." but this is IMO not sufficient.
-
- 23 11月, 2016 1 次提交
-
-
由 Kirill Zhuravlov 提交于
Add a link to http://api.rubyonrails.org/classes/ActionController.html in the beginning of an article.
-
- 12 11月, 2016 1 次提交
-
-
由 Xavier Noria 提交于
-
- 17 7月, 2016 1 次提交
-
-
由 Prathamesh Sonpatki 提交于
- By default the session store will be set to cookie store with application name as session key. - Older apps are not affected as they will have the session store initializer generated by Rails in older versions, and Rails will not overwrite the session store if it is already set or disabled. - But new apps will not have the initializer, instead the session store will be set to cookie store by default. - Based on comment by DHH here - https://github.com/rails/rails/issues/25181#issuecomment-222312764.
-
- 14 6月, 2016 1 次提交
-
-
由 Jun Wan Goh 提交于
-
- 28 5月, 2016 1 次提交
-
-
由 yuuji.yaginuma 提交于
-
- 21 5月, 2016 1 次提交
-
-
由 Jon Moss 提交于
[ci skip]
-
- 31 3月, 2016 1 次提交
-
-
由 Andrew Babichev 提交于
-
- 15 3月, 2016 1 次提交
-
-
由 Sandeep Navghane 提交于
-
- 20 1月, 2016 1 次提交
-
-
由 Gaurav Sharma 提交于
Rails 5.0 default server puma web server. following commit - https://github.com/rails/rails/commit/ae48ea69
-
- 12 1月, 2016 1 次提交
-
-
由 Mauro George 提交于
[ci skip]
-
- 18 12月, 2015 1 次提交
-
-
由 David Heinemeier Hansson 提交于
Still more to do. Please assist!
-
- 17 12月, 2015 1 次提交
-
-
由 Derek Prior 提交于
`redirect_to :back` is a somewhat common pattern in Rails apps, but it is not completely safe. There are a number of circumstances where HTTP referrer information is not available on the request. This happens often with bot traffic and occasionally to user traffic depending on browser security settings. When there is no referrer available on the request, `redirect_to :back` will raise `ActionController::RedirectBackError`, usually resulting in an application error. `redirect_back` takes a required `fallback_location` keyword argument that specifies the redirect when the referrer information is not available. This prevents 500 errors caused by `ActionController::RedirectBackError`.
-
- 18 9月, 2015 1 次提交
-
-
由 Bradley D 提交于
AbstractRequest has been deprecated, updating to refer to ActionDispatch::Request instead. [ci skip]
-
- 11 9月, 2015 1 次提交
-
-
由 Lachlan Campbell 提交于
-
- 02 9月, 2015 1 次提交
-
-
由 kishore-mohan 提交于
typo "description not clear corrected with proper description and action_controller_overview file Rails' -> Rails" [ci skip]
-
- 30 8月, 2015 1 次提交
-
-
由 yuuji.yaginuma 提交于
-
- 23 8月, 2015 1 次提交
-
-
由 shunsukeaida 提交于
Followup to #20637.
-
- 28 6月, 2015 1 次提交
-
-
由 yui-knk 提交于
-
- 16 6月, 2015 1 次提交
-
-
由 Xavier Noria 提交于
-
- 05 5月, 2015 1 次提交
-
-
由 Ankit gupta 提交于
-
- 10 4月, 2015 2 次提交
- 12 3月, 2015 1 次提交
-
-
由 Andrew Cantino 提交于
-
- 13 2月, 2015 1 次提交
-
-
由 yui-knk 提交于
-
- 14 1月, 2015 1 次提交
-
-
由 Vipul A M 提交于
- Changed `IN` to `ON` in all note sentences in guides.
-