2016. márc. 27. dátummal, 16:30 időpontban Sylvain Munaut <246tnt(a)gmail.com> írta:
Do you know if redmine supports going to HTTPS only
(i.e. redir http
to https). I changed the "protocol" to HTTPS in the admin panel but
that had no effect afaict.
I think this should be done on nginx’s level. According to this test everything
looks good, although HSTS could be introduced since it is not a hard thing to set up as
far as I remember and it would improve the grade to A+ :):
https://www.ssllabs.com/ssltest/analyze.html?d=osmocom.org&s=2a01%3a4f8…
This blogpost, although quite old, offers a good list of things to look at:
https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/
I would prefer to be HTTPS only and also have the
session cookie have
the "Secure" flag (so they're never sent over plain HTTP)
Cheers,
Domi