HTTPS for signup/login

[drinks]

Ssl_requirement gem if that's still the way it's done.

[konklone]

Oddly enough, it'd probably be easier code-wise to make the site all-https. The SSL terminator (pound, or nginx, or whatever) can do the hard work. In Scout's production config.ru, I add:

# sets HTST header, enforces SSL
require 'rack/ssl'
use Rack::SSL

And that's it!

[konklone]

This is still the case, over a year later. OpenCongress accepts logins and passwords over plain HTTP:

This is really not okay. The good news is that the site already has SSL installed for www, so the easiest way to proceed is to just force-redirect all http:// connections to https://, and move the site to SSL-only. That's enough to address the immediate issue.

Once that's done, there are a few areas for improvement:

• You can turn on HSTS. By adding a long expiration, and includeSubdomains, you can also submit OC to Chrome's HSTS preload list. This list also moves downstream into Firefox and Safari.
• The nginx/SSL configuration could use some work to enable TLS 1.2, update openssl, and to tighten up the ciphersuites to enforce forward secrecy. Scout and the Congress API do this pretty well, but I've learned more in the months since I last touched those and I recommend the config flags here that lead to this configuration.
• The cert isn't valid without the www. You'll need to take care of that before you can declare HSTS for all subdomains. In Chrome:

[konklone]

Just a note that this is still the case:

That's emails and passwords, in plaintext, across the open internet.

HTTPS is already working on OpenCongress: https://www.opencongress.org. All you have to do is turn on the redirect.

Then hey, while you're in the nginx config, add this:

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

And then throw it in the Chrome HSTS preload list, and have a nice talking point about how OpenCongress ships as secure in modern browsers.