Reputation: 980
skip/disable force_ssl for particular controller in rails
I need to force SSL on all routes in my application except for message#new controller.
In config/environments/production.rb, I have:
config.force_ssl = true
Now all routes being redirect to https, And now I want to disable that for message#new controller.
Does anyone know how to disable force SSL for particular controller in a Rails 4+ application?
Upvotes: 18
Views: 8084
Answers (4)
Reputation: 1
If you need to disable TLS for a healthcheck path, use the exact path:
config.ssl_options = {
redirect: { exclude: -> request { request.path == '/healthcheck' } }
}
The current accepted answer suggests using a very loose regular expression which would bypass TLS for any path that contains healthcheck anywhere in the path. This is a major security risk. Security allowlists should always be as specific as they can possible be.
Upvotes: 0
Reputation: 980
skip_before_action :verify_authenticity_token
force_ssl except: [:index,:create]
Its worked for me.
Upvotes: 8
Reputation: 492
according to documentation following should work (but only for rails > 5 version):
config.ssl_options = {
redirect: {
exclude: -> request { request.path =~ /healthcheck/ }
}
}
Upvotes: 35
Reputation: 1535
Do this in MessagesController.rb -
force_ssl except: [:new]
Upvotes: -2
Related Questions
- Disable force_ssl for specific controllers in Rails 5
- Opposite of Force_SSL in Rails?
- Force SSL for http requests in Rails
- how to suppress ssl on a single controller
- force_ssl in production.rb - how to override in controller to just be http
- How can I force Rails to only use TLS over SSL?
- how do disable force_ssl option for just one action?
- How do I selectively enable SSL in Rails 4 for certain paths?
- Force SSL for specific routes in Rails 3.1
- Rails 3.2 force_ssl except on landing page