+- PINE64 (https://forum.pine64.org)
+-- Forum: General (https://forum.pine64.org/forumdisplay.php?fid=1)
+--- Forum: General (https://forum.pine64.org/forumdisplay.php?fid=74)
+--- Thread: Force HTTPS on forum (/showthread.php?tid=13281)
Force HTTPS on forum - Danct12 - 03-02-2021
As of right now, the website can be visited without HTTPS (http://forum.pine64.org). This is a major security risk as it's possible to steal cookies over the network.
RE: Force HTTPS on forum - KC9UDX - 03-02-2021
Pretty sure we've been down this road.
If you are so worried, don't use it. (Does your "s" key work?
)Some of us want the "scary insecure" way to do it.
RE: Force HTTPS on forum - Danct12 - 03-02-2021
(03-02-2021, 02:49 AM)KC9UDX Wrote: If you are so worried, don't use it.
It also breaks the website in some way as well (e.g. recent alerts)
See attachment.
RE: Force HTTPS on forum - lot378 - 03-02-2021
A static web site with no accounts might be fine on HTTP.
Otherwise, HTTPS -- "This is the way".
Yes, on the forums (and any other part of Pine64 community or store) that has an account HTTPS must be being enforced. This is for security.
CORS is a separate issue.
RE: Force HTTPS on forum - KC9UDX - 03-02-2021
We had a long discussion on this a while back, but I can't find it because the search here stinks.
Mandatory self-security for the sole sake of self-security isn't really necessary. Not on the forum. The store, yes. Forum, no.
Last time, I probably likened this to the mandatory use of electronic stability systems in cars. If it makes you feel safer, by all means you do it. But there's really no need to force everyone to. Know you limits, take responsibility for yourself. Obviously, don't use the same password here that you use for your Bitcoin wallet. But hey even if you do, you know the risk. If you don't know the risk, you shouldn't be online.