ActionMailer per default uses http
as protocol, which enables SSL-stripping. When a logged-in user follows an http
link to your application, it sends the cookies along with it. Although the application redirects the user to https
and from that point has a secure connection to the user, an attacker may overhear that first unsafe request and hijack your session.
If your application is behind SSL, turn on using https
application-wide. In your environment file (either global or per environment, e.g. production only):
config.action_mailer.default_url_options = { :protocol => 'https', :host => 'your-application-host.com' }
If you want to send emails from public parts of your application with HTTP links and emails from SSL-protected parts with HTTPS, build a before_filter.
If you need certain links with HTTP, independent from the request's protocol, set the protocol per link:
= link_to 'My App', root_url(:protocol => 'http') # per link
Also see Make ActionMailer use the current request host and protocol for URL generation