I'm finishing up a Rails 4.2 app for a client and I have enabled the force_ssl option in the production environment. Now everything is working fine but the client NEEDS to embed an iframe that fetches from a non secure page. This non secure page I have no control over and the page doesn't support https.... :/
Is there any solution that would allow me to have SSL enforced everywhere except on this one controller action?
Thanks
Problem solved! I ended up using https://github.com/tobmatth/rack-ssl-enforcer to setup the SSL constraints I needed:
config.middleware.use Rack::SslEnforcer, except: '/search', strict: true
The force_ssl controller class method is great but I actually needed more fine grain control because the page that I needed no security on is actually a user genertaed page in a CMS controller. So I actually just can't exclude an action but an actual user generated URL. I know this may sound odd but it's working perfect for my weird situation. :)
Thanks!