New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce SSL on registration and profile pages #46
Comments
https://github.com/cemerick/friend/#channel-security might be useful here. |
Good point, can't believe I missed that. In fact it would probably be best to require SSL for the entire webapp and make the session cookie SSL-only. I've put in nginx redirects for /profile and /register in the meantime. |
Is this something that belongs in the app, or is it better handled at the nginx/proxy level? |
It's easy to put in redirect rules for SSL in nginx. But what's not easy to do in nginx is marking the session cookie SSL-only. According to the ring wiki that's done like this: (def app
(wrap-session handler {:cookie-attrs {:secure true}})) I also don't know what implications this has on Phil's Heroku plan though, as presumably that involves ditching nginx? |
I'm closing this particular issue as it's done for clojars.org itself: everything except GET on /repo now requires SSL. For the second phase of enforcing SSL in the webapp itself (for secure cookies, Heroku deployment etc) see #48. |
Any page involving passwords should require SSL.
The text was updated successfully, but these errors were encountered: