My apps tend to just be electronic sign-up sheets for various events. There’s no way we’re going to pay for an SSL certificate for a site that will probably be up for a month or two, at most. However, we do require people administering the page to login, which means passwords which need to be encrypted. That’s really all I care about encrypting, not the entire site. So, my somewhat simple solution is:

if Rails.env.production?
    scope :protocol => 'https://', :constraints => { :protocol => 'https://' } do
      get "user_sessions/new"
      post "user_sessions/create"
      delete "user_sessions/destroy"
      match 'login' => 'user_sessions#new'
      match 'logout' => 'user_sessions#destroy'
    end
  else
    get "user_sessions/new"
    post "user_sessions/create"
    delete "user_sessions/destroy"    
    match 'login' => 'user_sessions#new'
    match 'logout' => 'user_sessions#destroy'
  end

I only want to encrypt the login routes on production. I don’t have https running on my laptop and I’m not worried about my traffic being unencrypted there, so I don’t want to use it on my laptop. The other nice thing is if someone tries to just type in http://server.com/login on my production server, it’ll throw up an error, which is fine with me. I could try to match those urls and redirect them to https, but I really don’t care. As long as they can’t send their password unencrypted, I’m happy.