ActionMailer per default uses http as protocol, which enables SSL-stripping. When a logged-in user follows an http link to your application, it sends the cookies along with it. Although the application redirects the user to https and from that point has a secure connection to the user, an attacker may overhear that first unsafe request and hijack your session.

Teach ActionMailer to use the right protocol

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

• We build reliable cloud solutions with Infrastructure as code
• We are experts in security, Linux and databases
• We support your dev team to perform

Read more Show archive.org snapshot

If your application is behind SSL, turn on using https application-wide. In your environment file (either global or per environment, e.g. production only):

config.action_mailer.default_url_options = { :protocol => 'https', :host => 'your-application-host.com' }

If you want to send emails from public parts of your application with HTTP links and emails from SSL-protected parts with HTTPS, build a before_filter.

If you need certain links with HTTP, independent from the request's protocol, set the protocol per link:

= link_to 'My App', root_url(:protocol => 'http') # per link

Also see Make ActionMailer use the current request host and protocol for URL generation