ActionMailer per default uses http as protocol, which enables SSL-stripping. When a logged-in user follows an http link to your application, it sends the cookies along with it. Although the application redirects the user to https and from that point has a secure connection to the user, an attacker may overhear that first unsafe request and hijack your session.

Teach ActionMailer to use the right protocol

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

• Prevents you from data breaches and liability risks
• Upgrade at your own pace
• Works with modern Rubies

Read more Show archive.org snapshot

If your application is behind SSL, turn on using https application-wide. In your environment file (either global or per environment, e.g. production only):

config.action_mailer.default_url_options = { :protocol => 'https', :host => 'your-application-host.com' }

If you want to send emails from public parts of your application with HTTP links and emails from SSL-protected parts with HTTPS, build a before_filter.

If you need certain links with HTTP, independent from the request's protocol, set the protocol per link:

= link_to 'My App', root_url(:protocol => 'http') # per link

Also see Make ActionMailer use the current request host and protocol for URL generation