Freecadweb HTTPS redirect

[kkremitzki]

Everything on freecadweb (forum, wiki, tracker) seems to work well with HTTPS, so I wanted to get feedback on switching the side to redirect to HTTPS automatically.

It's currently set up on the bug tracker, so if you try to visit, it'll redirect to HTTPS (as well as redirecting future requests to the wiki, forum, etc)

Is there any reason to hold off on applying this for the whole website?

[kkremitzki]

The homepage, forum, wiki, and tracker all should be redirecting HTTP to HTTPS now. Please let me know if you have any issues!

[kkremitzki]

There was an issue with me accidentally clobbering the .htaccess file that was used for short URLs in the wiki, so it was temporarily inaccessible. That should be fixed now, though.

[Kunda1]

Awesome!

[PrzemoF]

The homepage, forum, wiki, and tracker all should be redirecting HTTP to HTTPS now. Please let me know if you have any issues!

No issues so far, thank you for making the switch!

[saso]

We can probably safely push it a bit further by also adding to .htaccess

Code: Select all

Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "frame-ancestors 'none'"
Header always set X-Frame-Options "deny"
Header always set X-Content-Type-Options "nosniff"

Additionally few more things could be set, but would probably need a bit more review and testing before deployment

https://blog.appcanary.com/2017/http-se ... aders.html
https://wiki.mozilla.org/Security/Guide ... b_Security

https://observatory.mozilla.org/analyze ... cadweb.org
https://observatory.mozilla.org/analyze ... cadweb.org

[yorik]

Looks good to me! For some reason I have the impression that my browser already automatically used the https version before..

[kkremitzki]

Looks good to me! For some reason I have the impression that my browser already automatically used the https version before..

It used to be that if you clicked a link using HTTPS or manually went to the site using HTTPS once, you'd start getting HTTP redirected so long as your cache knew HTTPS was available, but if you stayed on HTTP, you'd never get moved to HTTPS. Now, all HTTP requests are automatically and immediately redirected.

[kkremitzki]

We can probably safely push it a bit further by also adding to .htaccess

Code: Select all

Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "frame-ancestors 'none'"
Header always set X-Frame-Options "deny"
Header always set X-Content-Type-Options "nosniff"

Additionally few more things could be set, but would probably need a bit more review and testing before deployment

https://blog.appcanary.com/2017/http-se ... aders.html
https://wiki.mozilla.org/Security/Guide ... b_Security

https://observatory.mozilla.org/analyze ... cadweb.org
https://observatory.mozilla.org/analyze ... cadweb.org

These have been added. The main site went from D+ to A- and the forums went from D to B+.

[saso]

These have been added. The main site went from D+ to A- and the forums went from D to B+.

Awesome and thank you!

Yes, on the forum there are some cookies (phpbb_freecad_u, phpbb_freecad_k, phpbb_freecad_sid) that don't have the "Secure" flag set. It is described in the observatory report and can also be check from the browser (in chrome, developer tools, application tab, storage, cookies). If possible this should be added, I am however not sure how, it is probably an phpBB setting...

About the added .htaccess headers, I did check a bit for frames on our pages and did not find them (in chrome, developer tools, application tab, frames), if there would however be problems with frames we could try the "self, sameorigin" options for "Content-Security-Policy: frame-ancestors" and "X-Frame-Options" instead of "none, deny" that we have now. But if things are working I would leave it.

As for Content Security Policy (the one thing that is left), I would leave that for later...