As discussed on the RailsGoat FAQ (https://railsgoat.cktricky.com/faq.html), there should be support for SSL/TLS. We can just use letsencrypt, and add tutorials/tests for cookie flags, HSTS, mixed content and other configuration options.

Q: Will you support SSL at some point?

A: Absolutely, but likely using a self-signed cert. The idea would be to demo framework-specific protections rather than the certificate itself.

These references might help:

• https://everydayrails.com/2017/01/09/rails-https-only-lets-encrypt-ssl.html
• http://www.rubyflow.com/p/8rp4tl-quickly-add-ssl-to-heroku-for-free
• http://www.rubyflow.com/p/uof8v2-letsencryptheroku
• https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https
• https://github.com/Neilpang/acme.sh
• https://github.com/Homebrew/homebrew-core/blob/master/Formula/certbot.rb
• http://www.rubyflow.com/p/o8v2sg-lets-encrypt-ruby-on-rails-and-nginx
  *https://arstechnica.com/information-technology/2018/03/lets-encrypt-takes-free-wildcard-certificates-live