You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 26, 2018. It is now read-only.
Oddly enough, it'd probably be easier code-wise to make the site all-https. The SSL terminator (pound, or nginx, or whatever) can do the hard work. In Scout's production config.ru, I add:
This is still the case, over a year later. OpenCongress accepts logins and passwords over plain HTTP:
This is really not okay. The good news is that the site already has SSL installed for www, so the easiest way to proceed is to just force-redirect all http:// connections to https://, and move the site to SSL-only. That's enough to address the immediate issue.
Once that's done, there are a few areas for improvement:
You can turn on HSTS. By adding a long expiration, and includeSubdomains, you can also submit OC to Chrome's HSTS preload list. This list also moves downstream into Firefox and Safari.
The nginx/SSL configuration could use some work to enable TLS 1.2, update openssl, and to tighten up the ciphersuites to enforce forward secrecy. Scout and the Congress API do this pretty well, but I've learned more in the months since I last touched those and I recommend the config flags here that lead to this configuration.
The cert isn't valid without the www. You'll need to take care of that before you can declare HSTS for all subdomains. In Chrome:
Ssl_requirement gem if that's still the way it's done.
The text was updated successfully, but these errors were encountered: