Please enforce https on the forum
-
- Posts: 94
- Joined: Sat Mar 29, 2014 2:20 pm
- os: linux
- Location: Sheffield, England
- Contact:
Please enforce https on the forum
and secure cookies... it should just be a setting in phpBB's admin cp & maybe a little .htaccess line to be sure. There's no excuse for allowing plain text logins now. I even get redirected to http when I've tried to use https, I think it's after I post.
Re: Please enforce https on the forum
Yes, that's a really annoying problem. You can "fix" it locally using a custom HTTPS Everywhere rule (which is what I did), but I agree it should be fixed on the server.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Please enforce https on the forum
Agreed, this needs to be fixed. (HTTPS Everywhere is what I'm using at the moment as a workaround.)John Kenney wrote:and secure cookies... it should just be a setting in phpBB's admin cp & maybe a little .htaccess line to be sure. There's no excuse for allowing plain text logins now. I even get redirected to http when I've tried to use https, I think it's after I post.
Re: Please enforce https on the forum
Simple solution for Lighttpd.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Please enforce https on the forum
My understanding is that HSTS will be enabled on the Namecoin websites in the next couple months. (This is subject to revision if Ryan encounters problems.)renne wrote:Simple solution for Lighttpd.
Re: Please enforce https on the forum
It's just a standardized header telling the browsers to switch to HTTPS. As long as your servers can handle the additional SSL-CPU-load, there shouldn't be any problem. I use it with Apache myself. You will also get better rating at SSL Server Test.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Please enforce https on the forum
Yes, problem is that if it messes up, the website goes down for as long as the HSTS duration is. So it has to be tested for a little while first. In theory it shouldn't cause issues though.renne wrote:It's just a standardized header telling the browsers to switch to HTTPS. As long as your servers can handle the additional SSL-CPU-load, there shouldn't be any problem. I use it with Apache myself. You will also get better rating at SSL Server Test.
Re: Please enforce https on the forum
I've enabled secure cookies, set up http -> https redirects and enabled HSTS with a one hour lifetime.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Please enforce https on the forum
Thanks Ryan.ryanc wrote:I've enabled secure cookies, set up http -> https redirects and enabled HSTS with a one hour lifetime.
-
- Posts: 94
- Joined: Sat Mar 29, 2014 2:20 pm
- os: linux
- Location: Sheffield, England
- Contact:
Re: Please enforce https on the forum
Thanks for that, seems to be working ok now.