Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration to require HTTPS login #39

Open
alanhogan opened this issue Sep 18, 2017 · 1 comment
Open

Allow configuration to require HTTPS login #39

alanhogan opened this issue Sep 18, 2017 · 1 comment
Labels
Enhancement Security
Milestone
3.0

Comments

@alanhogan
Copy link
Owner

LM 2.4.0 allowed HTTPS-only cookies but you can still log in on HTTP if your server is flexible, which many would be given http:// short URLs.

We should allow forcing HTTPS logins
@alanhogan
Copy link
Owner Author

Planned implementation:

  1. Introduce a new constant, something like REQUIRE_HTTPS_TO_SHRINK_OR_MANAGE
  2. Any API or web UI requests — that is, anything that hits /-/index.php today — would fail with a 400 BAD REQUEST error and an error page or error message (depending on whether it is via web UI or API) stating that HTTPS is required.

This would be preferred over a 301 or other redirection because a redirection does not let the user know that they have potentially leaked their API key in plaintext, etc.

Of course, the downside is that old integrations & bookmarks will break. This should be combatted with appropriate warnings on the upgrade.

@alanhogan alanhogan added this to the 3.0 milestone Oct 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement Security
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
1 participant
@alanhogan