Missing force SSL configuration for incoming communication detected.

Rule ID: ruby_rails_insecure_communication
Languages: ruby
Source: insecure_communication.yml

Description

When applications process sensitive data, they should default to always use SSL when available. This rule checks if force SSL is enabled at the application level.

Remediations

This helps avoid attacks like session hijacking. More importantly, unencrypted HTTP communication sends all requests as plain text, meaning anyone listening in can see all the traffic and extract user data.

While you want to avoid sending sensitive data whenever possible, it's unavoidable so protecting the connection is an important method of improving your rails application data security.

✅ To force all traffic to your application to be encrypted though SSL, use the following Rails configuration option:

config.force_ssl = true

Resources

Configuring Rails Applications - Ruby on Rails Guides

Associated CWE

CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_insecure_communication

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_insecure_communication

Ready to take the next step? Learn more about Bearer Cloud.