I have a rails 3.2 site, and I hadn't thought about this much aside from setting force_ssl to true. Turns out that automatically enables HSTS and secure cookies - cool!