Secure Devise cookies in production

Question

Secure Devise cookies in production

cpitkin opened this issue 6 years ago · 2 comments

Make cookies secure in production. Since the cookie from Devise can hold sensitive information it should be set to only load over a secure connection. This setting would help make everything secure by default which is good for the end user.

config/initializers/devise.rb
config.rememberable_options = {:secure => Rails.env.production?}

Answer 1 · 2018-10-26T16:11:02.000Z

I agree this is something we should look into for applications that use Fae, but I'm hesitant to have Fae force this by default. First, I'm not even sure that option works in Devise. Last I checked the recommendation was to use a global option like force_ssl (heartcombo/devise#3433).

We can do some testing on a prod environment not yet live to determine the best approach for this.

thanks

Answer 2 · 2018-11-05T17:35:07.000Z

Just verified setting config.force_ssl = true in the app environment will ensure the session is secured. I like that solution as it leaves the option to the app dev.