Unfortunately this won't work for the cases where the same application
serves multiple domains but only some of them have an SSL certificate. Also
it can't be enabled by default since not everyone is serving over HTTPS.
What I suggested can be enabled by default out of the box improving
security a
Hi, if you want to use only HTTPS with all secure options, I recommend you
to uncomment the default production environment option in
config/environments/production.rb :
# Force all access to the app over SSL, use Strict-Transport-Security,
and use secure cookies.
# config.force_ssl = true