Summary
Two security hardening items were identified during a security audit that are intentionally deferred until we deploy with an SSL certificate into production. Applying them now would break the local HTTP-only development workflow.
Items to Address
1. Add secure flag to session cookie
File: app/controllers/concerns/authentication.rb:44
The session cookie is set with httponly and same_site but not secure: true. Without this flag, the cookie will transmit over plain HTTP, making it vulnerable to interception on the wire.
# Current
cookies.signed.permanent[:session_id] = { value: session.id, httponly: true, same_site: :lax }
# Target
cookies.signed.permanent[:session_id] = {
value: session.id,
httponly: true,
same_site: :lax,
secure: Rails.env.production?
}2. Enable force_ssl and assume_ssl in production config
File: config/environments/production.rb
Both config.assume_ssl and config.force_ssl are commented out. The deploy config (config/deploy.yml) even notes that an SSL proxy requires these. Once TLS termination is in place, uncomment both:
config.assume_ssl = true
config.force_ssl = true
This ensures all HTTP traffic is redirected to HTTPS and sets the HSTS header.
Why This Is Deferred
We currently run the site over plain HTTP during development. Enabling these settings would:
secure cookie flag — Prevent the session cookie from being sent over HTTP, breaking local login entirelyforce_ssl — Redirect all HTTP requests to HTTPS, making the dev server unreachable without a local cert setup
These are deploy-time concerns that should be tackled as part of production SSL provisioning, not before.
Acceptance Criteria
Summary
Two security hardening items were identified during a security audit that are intentionally deferred until we deploy with an SSL certificate into production. Applying them now would break the local HTTP-only development workflow.
Items to Address
1. Add
secureflag to session cookieFile:
app/controllers/concerns/authentication.rb:44The session cookie is set with
httponlyandsame_sitebut notsecure: true. Without this flag, the cookie will transmit over plain HTTP, making it vulnerable to interception on the wire.2. Enable
force_sslandassume_sslin production configFile:
config/environments/production.rbBoth
config.assume_sslandconfig.force_sslare commented out. The deploy config (config/deploy.yml) even notes that an SSL proxy requires these. Once TLS termination is in place, uncomment both:This ensures all HTTP traffic is redirected to HTTPS and sets the HSTS header.
Why This Is Deferred
We currently run the site over plain HTTP during development. Enabling these settings would:
securecookie flag — Prevent the session cookie from being sent over HTTP, breaking local login entirelyforce_ssl— Redirect all HTTP requests to HTTPS, making the dev server unreachable without a local cert setupThese are deploy-time concerns that should be tackled as part of production SSL provisioning, not before.
Acceptance Criteria
config.assume_ssl = trueandconfig.force_ssl = trueare uncommented inproduction.rbsecure: Rails.env.production?