Move force_ssl check to production config (#2165)

The force_ssl method from controllers does not add all of the options that the
sitewide configuration in a config block does. For example, HSTS enforcement is
not added by the controller method, but is added by this style.

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a1b9b985cc2698c6e7bd3c47cdec13692c34416c..92755bcd3ea876ff15dc96f2cc30abcc82cb91d6 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -5,8 +5,6 @@ class ApplicationController < ActionController::Base
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
 
-  force_ssl if: "Rails.env.production? && ENV['LOCAL_HTTPS'] == 'true'"
-
   include Localized
 
   helper_method :current_account

diff --git a/config/environments/production.rb b/config/environments/production.rb
index eff4c293f1402a9141e114bae3e660ad8410b105..cf4b3e7f932087e4fcb46c58b0432e972b69457f 100644 (file)
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -108,6 +108,7 @@ Rails.application.configure do
 
   config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym
 
+  config.force_ssl = (ENV['LOCAL_HTTPS'] == 'true')
 
   config.react.variant = :production