Freecadweb HTTPS redirect
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
Be nice to others! Read the FreeCAD code of conduct!
- kkremitzki
- Veteran
- Posts: 2515
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Freecadweb HTTPS redirect
Everything on freecadweb (forum, wiki, tracker) seems to work well with HTTPS, so I wanted to get feedback on switching the side to redirect to HTTPS automatically.
It's currently set up on the bug tracker, so if you try to visit, it'll redirect to HTTPS (as well as redirecting future requests to the wiki, forum, etc)
Is there any reason to hold off on applying this for the whole website?
It's currently set up on the bug tracker, so if you try to visit, it'll redirect to HTTPS (as well as redirecting future requests to the wiki, forum, etc)
Is there any reason to hold off on applying this for the whole website?
- kkremitzki
- Veteran
- Posts: 2515
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Re: Freecadweb HTTPS redirect
The homepage, forum, wiki, and tracker all should be redirecting HTTP to HTTPS now. Please let me know if you have any issues!
- kkremitzki
- Veteran
- Posts: 2515
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Re: Freecadweb HTTPS redirect
There was an issue with me accidentally clobbering the .htaccess file that was used for short URLs in the wiki, so it was temporarily inaccessible. That should be fixed now, though.
Re: Freecadweb HTTPS redirect
Awesome!
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Re: Freecadweb HTTPS redirect
No issues so far, thank you for making the switch!kkremitzki wrote:The homepage, forum, wiki, and tracker all should be redirecting HTTP to HTTPS now. Please let me know if you have any issues!
Re: Freecadweb HTTPS redirect
We can probably safely push it a bit further by also adding to .htaccess
Additionally few more things could be set, but would probably need a bit more review and testing before deployment
https://blog.appcanary.com/2017/http-se ... aders.html
https://wiki.mozilla.org/Security/Guide ... b_Security
https://observatory.mozilla.org/analyze ... cadweb.org
https://observatory.mozilla.org/analyze ... cadweb.org
Code: Select all
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "frame-ancestors 'none'"
Header always set X-Frame-Options "deny"
Header always set X-Content-Type-Options "nosniff"
https://blog.appcanary.com/2017/http-se ... aders.html
https://wiki.mozilla.org/Security/Guide ... b_Security
https://observatory.mozilla.org/analyze ... cadweb.org
https://observatory.mozilla.org/analyze ... cadweb.org
Re: Freecadweb HTTPS redirect
Looks good to me! For some reason I have the impression that my browser already automatically used the https version before..
- kkremitzki
- Veteran
- Posts: 2515
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Re: Freecadweb HTTPS redirect
It used to be that if you clicked a link using HTTPS or manually went to the site using HTTPS once, you'd start getting HTTP redirected so long as your cache knew HTTPS was available, but if you stayed on HTTP, you'd never get moved to HTTPS. Now, all HTTP requests are automatically and immediately redirected.yorik wrote:Looks good to me! For some reason I have the impression that my browser already automatically used the https version before..
- kkremitzki
- Veteran
- Posts: 2515
- Joined: Thu Mar 03, 2016 9:52 pm
- Location: Illinois
Re: Freecadweb HTTPS redirect
These have been added. The main site went from D+ to A- and the forums went from D to B+.saso wrote:We can probably safely push it a bit further by also adding to .htaccess
Additionally few more things could be set, but would probably need a bit more review and testing before deploymentCode: Select all
Header always set X-XSS-Protection "1; mode=block" Header always set Content-Security-Policy "frame-ancestors 'none'" Header always set X-Frame-Options "deny" Header always set X-Content-Type-Options "nosniff"
https://blog.appcanary.com/2017/http-se ... aders.html
https://wiki.mozilla.org/Security/Guide ... b_Security
https://observatory.mozilla.org/analyze ... cadweb.org
https://observatory.mozilla.org/analyze ... cadweb.org
Re: Freecadweb HTTPS redirect
Awesome and thank you!kkremitzki wrote:These have been added. The main site went from D+ to A- and the forums went from D to B+.
Yes, on the forum there are some cookies (phpbb_freecad_u, phpbb_freecad_k, phpbb_freecad_sid) that don't have the "Secure" flag set. It is described in the observatory report and can also be check from the browser (in chrome, developer tools, application tab, storage, cookies). If possible this should be added, I am however not sure how, it is probably an phpBB setting...
About the added .htaccess headers, I did check a bit for frames on our pages and did not find them (in chrome, developer tools, application tab, frames), if there would however be problems with frames we could try the "self, sameorigin" options for "Content-Security-Policy: frame-ancestors" and "X-Frame-Options" instead of "none, deny" that we have now. But if things are working I would leave it.
As for Content Security Policy (the one thing that is left), I would leave that for later...