Implement HTTPS for authentication

codeforsanjose / disaster-response-sj

Exploration of adding civic tech component to San Jose disaster response

MIT License

7 stars 12 forks source link

Implement HTTPS for authentication #54

Closed aliu-vmware closed 5 years ago

aliu-vmware commented 5 years ago

Sending plaintext passwords over the internet is a massive security hole. Any site that requires authentication should implement HTTPS for basic channel security.

https://aws.amazon.com/certificate-manager/ should be able to do it. This can probably also be done using LetsEncrypt.

sunnymui commented 5 years ago

In addition to the SSL certificate, you also need to force redirects to https.

Apache instructions / snippet: https://www.namecheap.com/support/knowledgebase/article.aspx/9821/38/apache-redirect-to-https

nginx instructions / snippet: https://serversforhackers.com/c/redirect-http-to-https-nginx