Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option for enforcing SSL in the webapp itself #48

Closed
ato opened this issue May 26, 2012 · 1 comment
Closed

Add an option for enforcing SSL in the webapp itself #48

ato opened this issue May 26, 2012 · 1 comment
Labels
feature security

Comments

@ato
Copy link
Collaborator

ato commented May 26, 2012

Currently for the clojars.org deployment we're enforcing that the connection is secure using nginx (see #46 and #45). This could instead be done in the webapp itself which would allow for a couple of improvements.

  • the ring-session cookies should be marked "secure" (SSL only). It would be good to mark them httpOnly too, there's no need to give JavaScript access.
  • HTTP uploads (Enforce SSL on registration and profile pages #46) should only be allowed over SSL. It would be good to return a 405 with custom status string explaining the problem. We can't return a custom status string in nginx so clients currently see a not so meaningful 405 Not Allowed if they attempt to deploy using HTTP.
  • the secure enforcement should support the X-Forwarded-Proto header for when the app is behind a reverse proxy or load balancer and is not itself the SSL termination point.
This was referenced May 26, 2012
Closed
Closed
ato added a commit that referenced this issue Nov 4, 2013
@ato
Flag cookies secure and http-only for https #48
8453c98
zjhmale pushed a commit to zjhmale/clojars-web that referenced this issue Oct 3, 2015
@ato
Flag cookies secure and http-only for https clojars#48
8b031af
@tobias
Copy link
Member

tobias commented Apr 26, 2020

We no longer need this - the server is now behind a load balancer that forces TLS, and the cookies are set secure appropriately here: https://github.com/clojars/clojars-web/blob/master/src/clojars/http_utils.clj#L20

@tobias tobias closed this as completed Apr 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tobias @ato