integreat-cms icon indicating copy to clipboard operation
integreat-cms copied to clipboard

Published 20 hours ago verified publisher icon digitalfabrik

HTTPS enforcement

Open sascha11110 opened this issue 6 years ago • 8 comments

Many users include images or other media from sites that do not use https. As a result, our website is marked as "non-secure" in the browser and in addition, this is a fairly high security risk.

~Since, from a practical point of view, we cannot completely prohibit users from embedding such content, we should take various soft measures that force users to https.~

Update 2021: Since meanwhile https is a very popular standard, it should be safe to completely forbid http content and use a hard enforcement here.

On the one hand, new content is problematic, but so is existing content. Therefore I suggest the following measures:

  • The editor points out that the placement of such new content is very critical
  • According to #46, such contents should not be packaged
  • Pages, events, etc. with such content are marked in the corresponding list view
  • There should be an additional list of all pages, events, etc. that have such content

sascha11110 avatar Oct 26 '18 14:10 sascha11110

I guess we can this in the nginx configuration by redirecting everything from HTTP to HTTPS? I don't see any need to implement this in Django.

svenseeberg avatar Oct 30 '18 17:10 svenseeberg

Some users also include content from external sites that do not offer https. In this case the nginx configuration does not help us.

sascha11110 avatar Oct 30 '18 20:10 sascha11110

Oh sorry, I did not read carefully enough. Yes, this is a totally valid ticket.

svenseeberg avatar Oct 30 '18 23:10 svenseeberg

We can use the broken link checker to evaluate whether a link can be accessed via HTTPS. This should probably also extended to foreign media sources (e.g. images).

ulliholtgrave avatar Jan 06 '22 10:01 ulliholtgrave

I think the best (not-breaking) solution for now would be to add a new list to our link checker that shows all "Insecure Links":

image

That means we just need to add a new link in the menu and filter URLs that start with http://.

svenseeberg avatar Jan 14 '23 10:01 svenseeberg

I think the best (not-breaking) solution for now would be to add a new list to our link checker that shows all "Insecure Links":

Good idea! I would even argue that this is a useful upstream contribution to https://github.com/DjangoAdminHackers/django-linkcheck. I opened https://github.com/DjangoAdminHackers/django-linkcheck/issues/149 there and see if I get feedback from the maintainer.

timobrembeck avatar Jan 14 '23 10:01 timobrembeck

Update: insecure links are now marked in the "SSL" column: insecure-link

What's missing however is that insecure links are marked as invalid. At the moment, they're still counted as valid links when the result is successful.

timobrembeck avatar Apr 19 '23 19:04 timobrembeck