---
title: Enforce TLS Encryption
impact: CRITICAL
impactDescription: protects user data and session cookies from interception
tags: security, tls, ssl, https
---

## Enforce TLS Encryption

Ensure the entire application is served over HTTPS to protect data in transit and prevent session hijacking.

**Incorrect (mixed or insecure):**

```ruby
# In production.rb
config.force_ssl = false
```

**Correct (enforced):**

```ruby
# In config/environments/production.rb
config.force_ssl = true

# Enforce HSTS
config.ssl_options = { hsts: { expires: 1.year, include_subdomains: true } }
```

**Tools:** Brakeman, Mozilla Observatory
---