How can I avoid an SSL error on a Heroku-hosted site (built with Rails) without paying for an SSL certificate

Question

The site I'm running was built using Rails, and it doesn't require users to submit any information if they choose not to, so I am OK not using SSL for the time being. I am in such early stages that I would like to avoid spending money if possible.

The custom domain was purchased from GoDaddy.

I am getting this error when going to the site (which is fine, because you can hit 'Proceed Anyway'), but I'd rather users not have this issue.

Any suggestions on how I can avoid getting this error? The simpler solution the better, even if it is not ideal in the long run, as I just trying to get a beta-version of the site up for friends/family to start testing.

Thanks!

Answer 1

If you want to avoid paying for ssl on heroku, here is the workaround I have found. Your site will still have session hacking vulnerability, but that is many times par for the course these days.

All you have to do is point your signup/login forms to the SSL encrypted version that heroku gives you, and you should be good to go. For example,

= form_for @login_user, :url => "#{Rails.env.production? ? 'https://appname.herokuapp.com' : nil }#{login_url}" do 
    # Rest of the form goes here.

This way, although your site is not 100% airtight, your user's email/password will never be visible to an attacker, thus any issues you may have will be at most an internal problem.

There may even be a config option where all links point to the herokuapp domain, not sure though.

To answer the "such early stages" part of your question, don't waste your time on semantics. If your not serving to many users, don't even bother with things like this until you have the volume necessary to generate concern for this. Focus your time and energy where it matters most. Think short term, scaling is a problem that you want to experience.

In your professional opinion, Sydney Rice or Stevie Johnson?