Please enforce https on the forum

John Kenney · Post by **John Kenney** » Tue Jun 17, 2014 11:21 pm

and secure cookies... it should just be a setting in phpBB's admin cp & maybe a little .htaccess line to be sure. There's no excuse for allowing plain text logins now. I even get redirected to http when I've tried to use https, I think it's after I post.

domob · Post by **domob** » Wed Jun 18, 2014 5:46 am

Yes, that's a really annoying problem. You can "fix" it locally using a custom HTTPS Everywhere rule (which is what I did), but I agree it should be fixed on the server.

Post by **biolizard89** » Fri Jun 20, 2014 6:52 am

John Kenney wrote:and secure cookies... it should just be a setting in phpBB's admin cp & maybe a little .htaccess line to be sure. There's no excuse for allowing plain text logins now. I even get redirected to http when I've tried to use https, I think it's after I post.

Agreed, this needs to be fixed. (HTTPS Everywhere is what I'm using at the moment as a workaround.)

renne · Post by **renne** » Fri Jun 20, 2014 10:45 am

Simple solution for Lighttpd.

Post by **biolizard89** » Fri Jun 20, 2014 11:12 am

renne wrote:Simple solution for Lighttpd.

My understanding is that HSTS will be enabled on the Namecoin websites in the next couple months. (This is subject to revision if Ryan encounters problems.)

renne · Post by **renne** » Fri Jun 20, 2014 12:04 pm

It's just a standardized header telling the browsers to switch to HTTPS. As long as your servers can handle the additional SSL-CPU-load, there shouldn't be any problem. I use it with Apache myself. You will also get better rating at SSL Server Test.

Post by **biolizard89** » Fri Jun 20, 2014 12:46 pm

renne wrote:It's just a standardized header telling the browsers to switch to HTTPS. As long as your servers can handle the additional SSL-CPU-load, there shouldn't be any problem. I use it with Apache myself. You will also get better rating at SSL Server Test.

Yes, problem is that if it messes up, the website goes down for as long as the HSTS duration is. So it has to be tested for a little while first. In theory it shouldn't cause issues though.

ryanc · Post by **ryanc** » Sun Jun 22, 2014 5:10 pm

I've enabled secure cookies, set up http -> https redirects and enabled HSTS with a one hour lifetime.

Post by **biolizard89** » Mon Jun 23, 2014 1:08 am

ryanc wrote:I've enabled secure cookies, set up http -> https redirects and enabled HSTS with a one hour lifetime.

Thanks Ryan.

John Kenney · Post by **John Kenney** » Mon Jun 23, 2014 2:40 am

Thanks for that, seems to be working ok now.

Namecoin Forum

Please enforce https on the forum

Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum

Re: Please enforce https on the forum