diff --git a/app/controllers/api/application_controller.rb b/app/controllers/api/application_controller.rb index ea12981e0fc..adb315f0d93 100644 --- a/app/controllers/api/application_controller.rb +++ b/app/controllers/api/application_controller.rb @@ -5,7 +5,6 @@ class Api::ApplicationController < ActionController::Base include TrackRequestId - force_ssl if: :ssl_enabled? before_action :strict_transport_security before_action :setup_fakes, @@ -51,10 +50,6 @@ def unauthorized render json: { status: "unauthorized" }, status: :unauthorized end - def ssl_enabled? - Rails.env.production? - end - def strict_transport_security response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" if request.ssl? end diff --git a/app/controllers/application_base_controller.rb b/app/controllers/application_base_controller.rb index 41f55a7fe3b..f9b1304a804 100644 --- a/app/controllers/application_base_controller.rb +++ b/app/controllers/application_base_controller.rb @@ -8,7 +8,6 @@ class ApplicationBaseController < ActionController::Base include TrackRequestId - force_ssl if: :ssl_enabled? before_action :check_out_of_service before_action :strict_transport_security @@ -35,10 +34,6 @@ def check_out_of_service render "out_of_service", layout: "application" if Rails.cache.read("out_of_service") end - def ssl_enabled? - Rails.env.production? - end - def strict_transport_security response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" if request.ssl? end diff --git a/app/services/deprecation_warnings/disallowed_deprecations.rb b/app/services/deprecation_warnings/disallowed_deprecations.rb index 26ddc36eb36..e365e45ef33 100644 --- a/app/services/deprecation_warnings/disallowed_deprecations.rb +++ b/app/services/deprecation_warnings/disallowed_deprecations.rb @@ -24,7 +24,8 @@ class ::DisallowedDeprecationError < StandardError; end /ActionView::Base instances must implement `compiled_method_container`/, /render file: should be given the absolute path to a file/, /`ActiveRecord::Result#to_hash` has been renamed to `to_a`/, - /Class level methods will no longer inherit scoping/ + /Class level methods will no longer inherit scoping/, + /Controller-level `force_ssl` is deprecated and will be removed from Rails 6\.1/ ].freeze # Regular expressions for deprecation warnings that should raise an exception on detection diff --git a/config/environments/production.rb b/config/environments/production.rb index c1b6847d036..aa0fb4423fe 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -44,7 +44,8 @@ # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. - # config.force_ssl = true + config.force_ssl = true + config.ssl_options = { redirect: { exclude: SslRedirectExclusionPolicy } } # Use the lowest log level to ensure availability of diagnostic information # when problems arise.