Freecadweb HTTPS redirect

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
User avatar
kkremitzki
Posts: 1795
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Freecadweb HTTPS redirect

Postby kkremitzki » Tue May 16, 2017 4:28 pm

Everything on freecadweb (forum, wiki, tracker) seems to work well with HTTPS, so I wanted to get feedback on switching the side to redirect to HTTPS automatically.

It's currently set up on the bug tracker, so if you try to visit, it'll redirect to HTTPS (as well as redirecting future requests to the wiki, forum, etc)

Is there any reason to hold off on applying this for the whole website?
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
kkremitzki
Posts: 1795
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Re: Freecadweb HTTPS redirect

Postby kkremitzki » Wed May 17, 2017 8:05 am

The homepage, forum, wiki, and tracker all should be redirecting HTTP to HTTPS now. Please let me know if you have any issues!
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
kkremitzki
Posts: 1795
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Re: Freecadweb HTTPS redirect

Postby kkremitzki » Wed May 17, 2017 8:58 am

There was an issue with me accidentally clobbering the .htaccess file that was used for short URLs in the wiki, so it was temporarily inaccessible. That should be fixed now, though.
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
Kunda1
Posts: 5927
Joined: Thu Jan 05, 2017 9:03 pm

Re: Freecadweb HTTPS redirect

Postby Kunda1 » Wed May 17, 2017 11:23 am

Awesome!
Want to contribute back to FC? Checkout:
#lowhangingfruit | Use the Source, Luke. | How to Help FreeCAD | How to report FC bugs and features
User avatar
PrzemoF
Posts: 2655
Joined: Fri Jul 25, 2014 4:52 pm
Contact:

Re: Freecadweb HTTPS redirect

Postby PrzemoF » Wed May 17, 2017 12:51 pm

kkremitzki wrote:The homepage, forum, wiki, and tracker all should be redirecting HTTP to HTTPS now. Please let me know if you have any issues!
No issues so far, thank you for making the switch!
User avatar
saso
Posts: 1337
Joined: Fri May 16, 2014 1:14 pm
Contact:

Re: Freecadweb HTTPS redirect

Postby saso » Wed May 17, 2017 1:11 pm

We can probably safely push it a bit further by also adding to .htaccess

Code: Select all

Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "frame-ancestors 'none'"
Header always set X-Frame-Options "deny"
Header always set X-Content-Type-Options "nosniff"
Additionally few more things could be set, but would probably need a bit more review and testing before deployment

https://blog.appcanary.com/2017/http-se ... aders.html
https://wiki.mozilla.org/Security/Guide ... b_Security

https://observatory.mozilla.org/analyze ... cadweb.org
https://observatory.mozilla.org/analyze ... cadweb.org
User avatar
yorik
Site Admin
Posts: 11577
Joined: Tue Feb 17, 2009 9:16 pm
Location: São Paulo, Brazil
Contact:

Re: Freecadweb HTTPS redirect

Postby yorik » Wed May 17, 2017 2:21 pm

Looks good to me! For some reason I have the impression that my browser already automatically used the https version before..
User avatar
kkremitzki
Posts: 1795
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Re: Freecadweb HTTPS redirect

Postby kkremitzki » Wed May 17, 2017 2:39 pm

yorik wrote:Looks good to me! For some reason I have the impression that my browser already automatically used the https version before..
It used to be that if you clicked a link using HTTPS or manually went to the site using HTTPS once, you'd start getting HTTP redirected so long as your cache knew HTTPS was available, but if you stayed on HTTP, you'd never get moved to HTTPS. Now, all HTTP requests are automatically and immediately redirected.
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
kkremitzki
Posts: 1795
Joined: Thu Mar 03, 2016 9:52 pm
Location: Texas

Re: Freecadweb HTTPS redirect

Postby kkremitzki » Fri May 19, 2017 5:11 pm

saso wrote:We can probably safely push it a bit further by also adding to .htaccess

Code: Select all

Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "frame-ancestors 'none'"
Header always set X-Frame-Options "deny"
Header always set X-Content-Type-Options "nosniff"
Additionally few more things could be set, but would probably need a bit more review and testing before deployment

https://blog.appcanary.com/2017/http-se ... aders.html
https://wiki.mozilla.org/Security/Guide ... b_Security

https://observatory.mozilla.org/analyze ... cadweb.org
https://observatory.mozilla.org/analyze ... cadweb.org
These have been added. The main site went from D+ to A- and the forums went from D to B+.
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
saso
Posts: 1337
Joined: Fri May 16, 2014 1:14 pm
Contact:

Re: Freecadweb HTTPS redirect

Postby saso » Fri May 19, 2017 7:20 pm

kkremitzki wrote:These have been added. The main site went from D+ to A- and the forums went from D to B+.
Awesome and thank you!

Yes, on the forum there are some cookies (phpbb_freecad_u, phpbb_freecad_k, phpbb_freecad_sid) that don't have the "Secure" flag set. It is described in the observatory report and can also be check from the browser (in chrome, developer tools, application tab, storage, cookies). If possible this should be added, I am however not sure how, it is probably an phpBB setting...

About the added .htaccess headers, I did check a bit for frames on our pages and did not find them (in chrome, developer tools, application tab, frames), if there would however be problems with frames we could try the "self, sameorigin" options for "Content-Security-Policy: frame-ancestors" and "X-Frame-Options" instead of "none, deny" that we have now. But if things are working I would leave it.

As for Content Security Policy (the one thing that is left), I would leave that for later... :)