Comments (9)
++
Projects as "letsencrypt.org" soon will give a free valid HTTPS option for all websites.
1 Route, Route Group or even the how app should has option to support only HTTPS requests. (perhaps the app should make and a proper redirection to HTTPS in all cases when the server doesn't do that at 1st place).
Its a good way to motivate people to push their apps to HTTPS and with that this will help improving security all over the net..
You know that some big companies are forcing anyone who is using their systems to have HTTPS already and this is 1 big +. In CI case of course it should be optional.
from codeigniter4.
A possibly helpful note: If you choose to do this via an HTTP redirect, make sure to use the 308 status code, which preserves the request method, i.e. won't change a POST to GET and destroy a submitted form's data.
https://tools.ietf.org/html/rfc7238
from codeigniter4.
@narfbg Excellent reminder. I probably would have forgotten that. Thank you.
from codeigniter4.
Notes to self:
- The SessionID must be regenerated when we switch from HTTP to HTTPS.
- Should attempt to use HTTP Strict Transport Security to enforce the switch. (Need to verify browser support)
from codeigniter4.
@narfbg As far as I can tell 308 is still not approved. Seems Firefox at least supports it, but unsure of the rest of the browsers. Looks like Google had a 308 used for resumable requests in their now-defunct Gears project. I cannot find a list of browser support for the different status codes.
Are you aware of a resource that tells us how much support 308 can expect? I'm currently using the default redirect option of 302/307 depending on request type but would like to move to 308 if we know it's supported.
from codeigniter4.
Hmm ... looks like I've overlooked the status of that RFC.
Experimental basically means that research and development efforts are in progress, but you can't reasonably expect support for it in production. For this one in particular, browsers should fallback to another 3xx code if they encounter a 308 and don't understand it, but some may refuse to process it at all.
from codeigniter4.
Alright, I'll leave this to the default 302/307 option, then, and we can keep an eye on things in the future. Thanks.
from codeigniter4.
On another note, this end result may be for the best in this particular case.
If there's e.g. a CSRF token in the message body for an unencrypted POST request, it's probably not a good idea to just redirect the same message body contents to a secure connection - we just had it over a non-httpS one, so it may've been intercepted. Better let the page generate a new token to be used under httpS. :)
from codeigniter4.
Oh dang. Yeah, good call! :)
from codeigniter4.
Related Issues (20)
- Bug: [Error] Call to undefined method Config\Mimes::__set_state() at ROOTPATH/writable/cache/FactoriesCache_config HOT 7
- Bug: [DebugBar] Flush a session flash-data when redirect by "Refresh" method HOT 2
- Add required_if validation rules
- Bug: Entity Standalone Class initialization error HOT 2
- Bug: How can I know which browser name is the request from?
- Bug: How can I know which browser name is the request from? HOT 14
- Bug: storing validation rules in Config/Validation causes error HOT 1
- Bug: Fatal error: Uncaught Error: Undefined constant "ENVIRONMENT" in /var/www/html/MyApp/system/Common.php:777 HOT 1
- Bug: cannot run PHPUnit testing in CI 4.5.1 appstarter HOT 5
- "Deploy API Documentation" fails HOT 1
- Composer PSR-4 notices "does not comply with psr-4 autoloading standard" HOT 16
- Bug: CodeIgniter\Router\RouteCollection::getRoutesOptions(): Argument #1 ($from) must be of type ?string, int given, called in system\Router\DefinedRouteCollector.php on line 49 HOT 3
- Bug: `migrate:rollback -b` impossible due to TypeError HOT 4
- Bug: [Validation] if_exist is not working as intended with arrays HOT 1
- Bug: spark routes doesn't work with `(.+)` HOT 2
- Bug: nested $routes->group() with same filter name doesn't work as exepcted HOT 14
- Bug: system/Database/OCI8/Connection.php fails to parse valid DSN HOT 10
- Bug: When Install fresh codeigniter 4 Project I am getting "does not comply with psr-4 autoloading standard" HOT 1
- Bug(OCI8): $validDSNs regex for Oracle service names should support periods HOT 1
- Bug: [QueryBuilder] select() TypeError: trim(): Argument #1 ($string) must be of type string, CodeIgniter\Database\RawSql given HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from codeigniter4.