November 20 2008

Integrated SSL Supportby railsdog

Spree has just added SSL support using the excellent ssl_requirement plugin written by DHH. Now the credit card payment and order summary pages are served up using HTTPS.

You will need an SSL certificate for your production site (obviously) along with a proper virtual host setup for the 443 port. Don’t forget to use the following to ensure that Mongrel is able to tell which requests are already over HTTPS:

RequestHeader set X_FORWARDED_PROTO 'https'

The default behavior of the ssl_requirement plugin is to not require SSL for any of the pages when running in development mode. If you don’t want to use SSL in production mode, just comment out the ssl_required lines in your controllers. You might also want to check out this interesting blog post by Mike Subelsky for more information on working with SSL in Rails.

Special thanks to Ricardo Shiota Yasuda (shadow11) for providing and testing the patch.