You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently for the clojars.org deployment we're enforcing that the connection is secure using nginx (see #46 and #45). This could instead be done in the webapp itself which would allow for a couple of improvements.
the ring-session cookies should be marked "secure" (SSL only). It would be good to mark them httpOnly too, there's no need to give JavaScript access.
HTTP uploads (Enforce SSL on registration and profile pages #46) should only be allowed over SSL. It would be good to return a 405 with custom status string explaining the problem. We can't return a custom status string in nginx so clients currently see a not so meaningful 405 Not Allowed if they attempt to deploy using HTTP.
the secure enforcement should support the X-Forwarded-Proto header for when the app is behind a reverse proxy or load balancer and is not itself the SSL termination point.
The text was updated successfully, but these errors were encountered:
Currently for the clojars.org deployment we're enforcing that the connection is secure using nginx (see #46 and #45). This could instead be done in the webapp itself which would allow for a couple of improvements.
405 Not Allowed
if they attempt to deploy using HTTP.X-Forwarded-Proto
header for when the app is behind a reverse proxy or load balancer and is not itself the SSL termination point.The text was updated successfully, but these errors were encountered: