Closed jschneiderhan closed 7 years ago
bacongobbler
commented
7 years ago @jschneiderhan this is something we cannot change by default as the default use case are users who have not installed SSL certificates on their cluster. Enabling it by default will create errors in those cases, breaking the dev approach and backwards compatibility.
bacongobbler
commented
7 years ago If we had a secure-by-default cluster then sure, but that'd be a breaking change and would merit a v3 release.
jschneiderhan
commented
7 years ago @bacongobbler ok - thanks for letting me know. Would you like me to close this issue or leave it open for consideration in a future release?
bacongobbler
commented
7 years ago I'll bring up a more generic topic on making Workflow secure by default. Thanks for bringing this to our attention!
Let's close this issue once that issue exists. :)
Joshua-Anderson
commented
7 years ago @bacongobbler How would this break clusters for users that don't have ssl certificates? Workflow defaults to http, so a dev cluster wouldn't hit this, would they?
bacongobbler
commented
7 years ago Ah I thought it'd come into play with http so no, a dev cluster would not hit this.
@jschneiderhan my mistake. PR away!
jschneiderhan
commented
7 years ago Looks like I forgot to close this when #265 was merged
The current default is
false, which could leave clients vulnerable to MitM attacks.PR incoming shortly :)