Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is SSL disabled by default in production? #216

Closed
oerd opened this issue Jul 1, 2021 · 1 comment
Closed

Why is SSL disabled by default in production? #216

oerd opened this issue Jul 1, 2021 · 1 comment

Comments

@oerd
Copy link
Contributor

oerd commented Jul 1, 2021

Hi,

I noticed that SSL is by default disabled in the ProductionConfig class in config.py. The line of code is:

SSL_DISABLE = (os.environ.get('SSL_DISABLE', 'True') == 'True')

In case SSL_DISABLE is not set, the default value will be True which from my point of viewing means SSL (or TLS for that matter) will be disabled.
@abhisuri97
Copy link
Contributor

I believe the original reasoning for keeping it disabled by default was that not all production environments had ssl certs installed. By setting SSL_DISABLE to false, you were consciously saying “yes, i have an ssl cert installed, please redirect all traffic to ssl”. However, in hindsight, this is very confusing, so I’d welcome a PR to change that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oerd @abhisuri97