|
|
|
|
|
|
by RyanZAG
4636 days ago
|
|
|
Running over HTTPS is not enough, stripping SSL when you can MITM or alter traffic is incredible easy and adds no real complexity. You must both force https and have HSTS enabled at a minimum [1]. Some javascript to ensure that the page being displayed is running over https for first-time users is also a good bet (but can be circumvented). [1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security |
|
|
Useful link: http://jamescrisp.org/2013/08/04/moving-to-https-rails-force...