[Fiware-tech-help] [FI-WARE-JIRA] (SEC-39) CLONE - [Chp - Security][Identity Management] Https needed for production environment

Alvaro del Castillo (JIRA) fiware-security-jira at fi-ware.org
Fri Oct 31 12:55:10 CET 2014

Previous message: [Fiware-tech-help] [FI-WARE-JIRA] (SEC-39) CLONE - [Chp - Security][Identity Management] Https needed for production environment
Next message: [Fiware-tech-help] [FI-WARE-JIRA] (CLD-50) CLONE - [Chp - Security][Identity Management] Missing domain configuration instructions
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ http://jira.fi-ware.org/browse/SEC-39?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13039#comment-13039 ] 

Alvaro del Castillo commented on SEC-39:
----------------------------------------

Though it may not be mandatory, when deploying using the default configuration, it is enabled by default. If the user has not configured the web server to handle https connections, the application will not be accesible. When doing our tests, accessing the application through http automatically redirects to https.

The default configuration file for the production environment (config/environments/production.rb) has this option enabled by default:

{quote}
\# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true
{quote}

So with the default configuration, the user needs to add https configuration to the web server. Commenting out this option or modifying its value to false, will allow the application to use http instead of https.

Please, if it's not mandatory, then add instructions on how to configure it and warn the users that it is enabled by default.



> CLONE - [Fiware-tech-help] [Chp - Security][Identity Management] Https needed for production environment
> --------------------------------------------------------------------------------------------------------
>
>                 Key: SEC-39
>                 URL: http://jira.fi-ware.org/browse/SEC-39
>             Project: Chp - Security
>          Issue Type: Bug
>          Components: Identity Management
>            Reporter: FIWARE-TECH-HELP
>            Assignee: Álvaro Alonso
>         Attachments: Nachricht als Anhang, Nachricht als Anhang, Nachricht als Anhang, philipp_slusallek.vcf
>
>
> The installation guide does not state that the application, when using
> the production environment, uses https instead of http, so the user
> needs to configure the web server to allow access through https.
> _______________________________________________
> Fiware-tech-help mailing list
> Fiware-tech-help at lists.fi-ware.org
> https://lists.fi-ware.org/listinfo/fiware-tech-help



--
This message was sent by Atlassian JIRA
(v6.1.7#6163)

Previous message: [Fiware-tech-help] [FI-WARE-JIRA] (SEC-39) CLONE - [Chp - Security][Identity Management] Https needed for production environment
Next message: [Fiware-tech-help] [FI-WARE-JIRA] (CLD-50) CLONE - [Chp - Security][Identity Management] Missing domain configuration instructions
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Fiware-tech-help mailing list

You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy