config.force_ssl disabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
config.force_ssl = false turns off the middleware that redirects HTTP to HTTPS and stops Rails from marking cookies secure, so session and auth cookies can be sent in plaintext and captured on the network.
Why it matters
config.force_ssl normally does two things: redirects plain HTTP requests to HTTPS, and marks cookies (including the session cookie) secure so browsers never send them over an unencrypted connection. Explicitly disabling it means a user on a network with any HTTP path available, a coffee shop Wi-Fi, a misconfigured load balancer, a stale bookmark, can have their session cookie sent in the clear and captured.
How to fix it
Remove the override, or set config.force_ssl = true, so Rails enforces HTTPS and secure cookies. If a specific health-check endpoint genuinely needs plain HTTP, exclude just that path with the exclude: option rather than disabling force_ssl for the whole app.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo