[jira] [Commented] (LUCENE-9227) Make page ready for pure HTTPS

Mon, 24 Feb 2020 16:11:01 -0800 


    [ 
https://issues.apache.org/jira/browse/LUCENE-9227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043985#comment-17043985
 ] 

Uwe Schindler commented on LUCENE-9227:
---------------------------------------

bq. Tested with browser and curl. The redirect works, but I know nothing about 
STS 

Thanks. STS is Strict Transport Security 
(https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It send a 
special HTTP header that instruts the browser to always use HTTPS for a domain. 
This lowers the risk that somebody intercepts the initial connection to the 
webserver with HTTP (users normally only enter the domain name making the 
browser use HTTP and get redirected to HTTPS). As the redirect is not secured, 
a bad guy could remove the redirect and serve (a modified) page. With HSTS the 
browser will (except for the very first access) use HTTPS forever, also when 
links use HTTP or user enters domain name without protocol. Basically, when you 
once sent this header you can no loger switch off HTTPS until the lifetime of 
this header. The recommendation is to send one year or more, but I initially 
added 300seconds for testing.

It's now deployed also in production. I will raise to one year next weekend.

> Make page ready for pure HTTPS
> ------------------------------
>
>                 Key: LUCENE-9227
>                 URL: https://issues.apache.org/jira/browse/LUCENE-9227
>             Project: Lucene - Core
>          Issue Type: Sub-task
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>            Priority: Blocker
>
> The web page can currently be visited using HTTPS but this brings warning:
> - Both search providers create a form that passes USER ENTERED INPUT using no 
> encryption. This is not allowed due to GDPR. We have to fix this asap. It 
> looks like [~otis] search is working with HTTPS (if we change domain name), 
> but the Lucidworks does not
> - There were some CSS files loaded with HTTP (fonts from Google - this was 
> fixed)
> Once those 2 problems are fixed (I grepped for HTTP and still found many 
> links with HTTP, but looks like no images or scripts or css anymore), I'd 
> like to add a permanent redirect http://lucene.apache.org/ -> 
> https://lucene.apache.org to the htaccess template file.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to