Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Config option to abort if https: not enabled; more emph. in documentation on using https #1

Open
jw35 opened this issue May 22, 2017 · 1 comment

Comments

@jw35
Copy link

jw35 commented May 22, 2017

RAVEN019 in master TODO list

@jw35
Copy link
Author

jw35 commented May 22, 2017

When used over http the cookie used to store logged-in session state is easily stolen. While much better than steeling long-term credentials such as username/password used with HTTP Basic auth this is still bad. The documentation should emphasise the need to arrange for all Ucam Webauth accesses to be over https.

Aborting when not used over https unless a configuration option is explicitly set would be one way to raise awareness of this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant