I am serving a rails API service that is handling my user services using Devise. I am proxying through an AWS API Gateway that terminates SSL, thus the forwarded request will appear as though it's HTTP instead of HTTPS to the application.
Rails has a built in config.assume_ssl in version 7.1+ specifically for these cases, though I have followed this guide to implement it into my current version (7.0.8). However, I still cannot get Devise to mark _session_id (the session cookie) as secure when sending responses to HTTP requests from the gateway.
What I have tried:
- Modifying initializers/session_store.rb to include "secure: true"
- Modifying config.session_store similarly in production.rb (and development.rb just to see)
- Setting headers, such as X-Forwarded-Proto, over the request and setting them directly in rails as the API service will only be accessed from the gateway once in production
- Adding the gateway IP as a trusted proxy
I know it's more common to run rails on puma/unicorn and forward things through an Nginx server which handles the SSL, but I'd like to think the concepts should remain the same since in both cases, we are just telling Rails to trust that SSL has already been taken care of.