Rails 3.1+ force_ssl & HSTS problem

gistfile1.md

Rails 3.1 introduced force_ssl. You can add config.force_ssl = true in application.rb.

• Rails guide

By enabling force_ssl, Rails send a HSTS (HTTP Strict Transport Security) header which will expired in a year.

• Related discussion in Rails repository
• Rack SSL source code

So if you enabled force_ssl once, even you change the config value to false later, the browser you used to open you app before will still remember this website (using domain to identify) require to use HTTPS, and redirect you to HTTPS connection automatically. You may use chrome://net-internals/#hsts to check the domain list in Google Chrome.

If you really need to fall back to HTTP connection, you may need to apply the following code. The setup is to force Rails send a new HSTS header which will be expired immediately. When a browser open your Rails application, the browser will expire the HSTS record.

gistfile2.rb

# Add Rack SSL Enforcer in Gemfile
# https://github.com/tobmatth/rack-ssl-enforcer
gem 'rack-ssl-enforcer'

gistfile3.rb

# Change in application.rb
MyApp::Application.configure do

  # ...
  
  # repeat this line if you added force_ssl to production.rb or other enviornment configuration files
  config.force_ssl = false
  
  # ...
  # configure Rack SSL Enforcer
  # set the HSTS expires value to 0
  # you may add some other options to control the pages you want to apply SSL
  config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 0 }
  
end

# restart your application after finish

Interesting... Or maybe this without an extra gem?
I didn't test it though.

class ApplicationController < ActionController::Base
  before_filter :expire_hsts
  # or in Rails 4:
  # before_action :before_filter

  private
  def expire_hsts
    response.headers['Strict-Transport-Security'] = 'max-age=0'
  end
end