Secure Your Cookies

Learn how to better secure the cookies of your application. A specific example is shown using Ruby on Rails.

# Use this to check the headers for your application
curl -X HEAD -i https://ubuntu -k

To force SSL and enable the secure cookie for an entire Ruby on Rails application, enable force_ssl in your environment file such as production.rb.

# config/environments/production.rb
config.force_ssl = true

If you need to support HTTP and HTTPS traffic with your Ruby on Rails application, set the secure cookie flag for your application so that session cookies are ONLY sent over HTTPS.

The consequence is you can no longer maintain session state over HTTP, but you at least protect yourself from session hijacking attacks.

# config/initializers/session_store.rb
# set secure: true, optionally only do this for certain Rails environments (e.g., Staging / Production
Rails.application.config.session_store :cookie_store, key: '_testapp_session', secure: true

Please go ahead and leave a comment below if you have any questions about this tutorial.