2016. márc. 27. dátummal, 16:30 időpontban Sylvain Munaut 246tnt@gmail.com írta:
Do you know if redmine supports going to HTTPS only (i.e. redir http to https). I changed the "protocol" to HTTPS in the admin panel but that had no effect afaict.
I think this should be done on nginx’s level. According to this test everything looks good, although HSTS could be introduced since it is not a hard thing to set up as far as I remember and it would improve the grade to A+ :): https://www.ssllabs.com/ssltest/analyze.html?d=osmocom.org&s=2a01%3a4f8%...
This blogpost, although quite old, offers a good list of things to look at: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/
I would prefer to be HTTPS only and also have the session cookie have the "Secure" flag (so they're never sent over plain HTTP)
Cheers, Domi