HTTPS (Hypertext Transfer Protocol Secure) makes absolutely sense. HTTPS conveys integrity. HTTPS establishes trust. If the user is expected to provide data, it is absolutely necessary to encrypt them.
Ruby on Rails supports communication encryption. It simply requires a SSL certificate, which was legitimated by a certification authority. Depending on the use case there are several kind of certificates for single domain, wild card and multiple domains. The decision for the right certification authority has consider the necessary options and the budget.
Apart from the certificate the private key (RSA) is required:
$ openssl genrsa -des3 -out server.pass.key 2048 ... Enter pass phrase for server.pass.key: Verifying - Enter pass phrase for server.pass.key:
Saving the key in the server.key file:
$ openssl rsa -in server.pass.key -out server.key
After that the certificate signing request (CSR) has to be created:
openssl req -nodes -new -key server.key -out server.csr ... Country Name (2 letter code) [AU]:US Common Name (eg, YOUR name) :www.example.com ...
The server.csr has to be sent to the certificate provider. The provider in turn will supply the certificate (.pem oder .crt file).
Both have to stored on the server.
Then the data encryption in production mode can be enabled in the Rails application (config/production.rb):
config.force_ssl = true
That is how the entire application is SSL encrypted, but external assets also should be SSL secured. Otherwise the browser will respond with warnings. The article Protocol independent assets digs deeper into that topic.