Enforce SSL on registration and profile pages #46
Comments
|
https://github.com/cemerick/friend/#channel-security might be useful here. |
|
Good point, can't believe I missed that. In fact it would probably be best to require SSL for the entire webapp and make the session cookie SSL-only. I've put in nginx redirects for /profile and /register in the meantime. |
|
Is this something that belongs in the app, or is it better handled at the nginx/proxy level? |
|
It's easy to put in redirect rules for SSL in nginx. But what's not easy to do in nginx is marking the session cookie SSL-only. According to the ring wiki that's done like this: (def app
(wrap-session handler {:cookie-attrs {:secure true}}))I also don't know what implications this has on Phil's Heroku plan though, as presumably that involves ditching nginx? |
|
I'm closing this particular issue as it's done for clojars.org itself: everything except GET on /repo now requires SSL. For the second phase of enforcing SSL in the webapp itself (for secure cookies, Heroku deployment etc) see #48. |
Any page involving passwords should require SSL.
The text was updated successfully, but these errors were encountered: