Disabling SSL for a Heroku App

后端未结

关注

 2  1267

I recently changed the domain for a Rails app I have running on Heroku. I redirected the original to the new one, and for the last couple of months have been running SSL on

相关标签:

2条回答

庸人自扰

2021-01-02 04:32

config.force_ssl = true enables Strict Transport Security header(HSTS) with max-age of one year. See this issue. Such header forces browsers that support it to contact the server over HTTPS for one year. This is to prevent attacks in which man in a middle downgrades HTTPS connection to HTTP.

Moving out of HTTPS for production sites that were served with HSTS is not very easy. You should keep your site served over HTTPS and return HSTS header with max-age=0 to reset the one year setting. The problem is to decide for how long you need to keep HTTPS. To be absolutely sure that all clients are switched, you should do it for one year. You may decide to do it for a shorter period, but at the risk of breaking the site for clients that are visiting infrequently.

0 讨论(0)
发布评论:

提交评论
- 加载中...
小鲜肉

2021-01-02 04:44
In addition to what Jan said, here is what I did to do the trick.

In application_controller.rb :
```
before_filter :expire_hsts

[...]
private
  def expire_hsts
    response.headers["Strict-Transport-Security"] = 'max-age=0'
  end
```
In production.rb
```
config.force_ssl = false
```
Clear the cache of your web browser and that's it !
0 讨论(0)
发布评论:

提交评论
- 加载中...