It doesn't justforce your browser to redirect HTTP to HTTPS. It also sets your cookies to be marked "secure", and it enables HSTS, each of which are very good protections against SSL stripping.

它不只是强制您的浏览器将 HTTP 重定向到 HTTPS。它还会将您的 cookie 设置为标记为“安全”，并启用HSTS，每个都是针对 SSL 剥离的非常好的保护。

Even though HTTPS protects your app at "https://example.com/yourapp" against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit "http://example.com/yourapp". With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.

尽管 HTTPS 保护“ https://example.com/yourapp”上的应用程序免受 MITM 攻击，但如果有人在您的客户端和您的服务器之间进入，他们可以很容易地让您访问“ http://example.com/yourapp” . 如果没有上述保护措施，您的浏览器将很乐意将会话 cookie 发送给执行 MITM 的人。

Setting config.force_sslincludes ActionDispatch::SSL. The ActionDispatch::SSLdocs describe the functionality as follows (emphases added for clarity):

设置config.force_ssl包括ActionDispatch::SSL. 该ActionDispatch::SSL文档描述的功能如下（添加的，为了清楚起见重点）：

See the includes hereand the docs for ActionDispatch::SSL here.

请参阅包括在这里和ActionDispatch :: SSL的文档在这里。

DOCS

文档

This middleware is added to the stack when config.force_ssl = true, and is passed the options set in config.ssl_options. It does three jobs to enforce secure HTTP requests:

此中间件在 时添加到堆栈中config.force_ssl = true，并传递 中设置的选项config.ssl_options。它执行三项工作来强制执行安全的 HTTP 请求：

1. TLS redirect: Permanently redirects http:// requests to https://with the same URL host, path, etc. Enabled by default. Set config.ssl_optionsto modify the destination URL (e.g. redirect: { host: "secure.widgets.com", port: 8080 }), or set redirect: falseto disable this feature.

2. Secure cookies: Sets the secureflag on cookiesto tell browsers they mustn't be sent along with http:// requests. Enabled by default. Set config.ssl_optionswith secure_cookies: falseto disable this feature.

3. HTTP Strict Transport Security (HSTS): Tells the browser to remember this site as TLS-only and automatically redirect non-TLS requests. Enabled by default. Configure config.ssl_optionswith hsts: falseto disable. Set config.ssl_optionswith hsts: { … }to configure HSTS:

   • expires: How long, in seconds, these settings will stick. Defaults to 180.days(recommended). The minimum required to qualify for browser preload lists is 18.weeks.
   • subdomains: Set to trueto tell the browser to apply these settings to all subdomains. This protects your cookies from interception by a vulnerable site on a subdomain. Defaults to true.
   • preload: Advertise that this site may be included in browsers' preloaded HSTS lists. HSTS protects your site on every visit except the first visitsince it hasn't seen your HSTS header yet. To close this gap, browser vendors include a baked-in list of HSTS-enabled sites. Go to https://hstspreload.appspot.comto submit your site for inclusion. To turn off HSTS, omitting the header is not enough. Browsers will remember the original HSTS directive until it expires. Instead, use the header to tell browsers to expire HSTS immediately. Setting hsts: falseis a shortcut for hsts: { expires: 0 }.

1. TLS 重定向：将 http:// 请求永久重定向到具有相同 URL 主机、路径等的https://。默认启用。设置config.ssl_options为修改目标 URL（例如redirect: { host: "secure.widgets.com", port: 8080 }），或设置 redirect: false为禁用此功能。

2. 安全 cookie：在 cookie 上设置secure标志以告诉浏览器它们不能与 http:// 请求一起发送。默认启用。设置 config.ssl_options与secure_cookies: false禁用此功能。

3. HTTP 严格传输安全 (HSTS)：告诉浏览器将此站点记住为仅 TLS 并自动重定向非 TLS 请求。默认启用。配置config.ssl_options与hsts: false对禁用。设置config.ssl_options与hsts: { … }配置HSTS：

   • expires：这些设置会坚持多久（以秒为单位）。默认为 180.days（推荐）。获得浏览器预加载列表资格的最低要求是18.weeks。
   • subdomains: 设置为true告诉浏览器将这些设置应用于所有子域。这可以保护您的 cookie 免受子域上易受攻击的站点的拦截。默认为true.
   • preload：宣传该站点可能包含在浏览器的预加载 HSTS 列表中。HSTS 会在每次访问时保护您的站点，除了第一次访问，因为它还没有看到您的 HSTS 标头。为了弥补这一差距，浏览器供应商提供了一个支持 HSTS 的站点的内置列表。转到https://hstspreload.appspot.com提交您的网站以供收录。要关闭 HSTS，仅省略标头是不够的。浏览器会记住原始的 HSTS 指令，直到它过期。相反，使用标头告诉浏览器立即使 HSTS 过期。设置hsts: false是 的快捷方式hsts: { expires: 0 }。

Requests can opt-out of redirection with exclude:

请求可以选择退出重定向exclude：

config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }

This setting forces HTTPS by redirecting HTTP requests to their HTTPS counterparts. So a browser visiting http://domain.com/pathwill be redirected to https://domain.com/path.

此设置通过将 HTTP 请求重定向到其对应的 HTTPS 来强制使用 HTTPS。所以浏览器访问http://domain.com/path将被重定向到https://domain.com/path.

Leaving the setting commented out would allow both protocols.

将设置注释掉将允许两种协议。

You still have to configure your web server to handle HTTPS requests.

您仍然需要配置您的 Web 服务器来处理 HTTPS 请求。

It forces all communication with the server to be encrypted and use SSL, i.e. through HTTPS.

它强制与服务器的所有通信都加密并使用 SSL，即通过 HTTPS。

When you include it in a controller that controller will only accept HTTPS requests.

当您将它包含在控制器中时，该控制器将只接受 HTTPS 请求。

Helpful links:

有用的网址：

1. http://api.rubyonrails.org/classes/ActionController/ForceSSL/ClassMethods.html
2. http://rubydoc.info/docs/rails/ActionController/ForceSSL
3. http://railscasts.com/episodes/270-authentication-in-rails-3-1?view=comments

1. http://api.rubyonrails.org/classes/ActionController/ForceSSL/ClassMethods.html
2. http://rubydoc.info/docs/rails/ActionController/ForceSSL
3. http://railscasts.com/episodes/270-authentication-in-rails-3-1?view=comments