Use HTTP for most pages, move HTTPS to secure.comp-soc.com.

compsoc-edinburgh / website-django

The website

1 stars 1 forks source link

Use HTTP for most pages, move HTTPS to secure.comp-soc.com. #31

Open R2ZER0 opened 9 years ago

R2ZER0 commented 9 years ago

Reverting my previous policy of HTTPS everywhere, and automatically redirecting HTTP -> HTTPS, for two reasons:

Security concerns discussed here: http://myers.io/2014/01/28/should-i-redirect-http-to-https/
Performance, our site is slow as it is! Due to the certificate chain, a request to globalsign seems to be made for each page request (investigate this?)

AngusP commented 9 years ago

The site is mostly non cookie, so only https for /admin & when logged in (if that's possible?) would seem like a good way forward

R2ZER0 commented 9 years ago

Oh yeah that's a point, cookies are always sent if someone is logged in... hmm...

R2ZER0 commented 9 years ago

No, yeah that's a good suggestion actually.

It would still be possible to seperate secure.comp-soc.com and www.comp-soc.com, having www for regular pages, secure for pages that require being logged in or access to user info. Then, cookies would only be set and sent on the secure subdomain, where there is no chance of an unencrypted connection. Woot!