search

edgi-govdata-archiving / archivers.space

🗄 Event data management app used at DataRescues
https://www.archivers.space/
GNU Affero General Public License v3.0
6 stars 3 forks source link

Run archivers.space on SSL? #48

Closed kmcculloch closed 7 years ago

kmcculloch commented 7 years ago

This is really more of a programmatic decision than a programming one--who buys the certificate? who provides hosting? etc.--but if we're concerned about security we should at least discuss it.

dcwalk commented 7 years ago

The certificate was set up with lets encrypt, so no one purchased a cert. There does have to be a renewal every 90 days tho.

Unsure if I am understanding your questions but--the cert isn't 'hosted,' was originally deployed by @danielballan on the heroku instance.

~I'm not sure what the web server~ The web server is Cowboy, and with (incomplete) testing I'm getting redirected to https appropriately, but reviewing however that is configured would be good

kmcculloch commented 7 years ago

Oh I see--I didn't realize there was a certificate. I've just been using the app over http and ignoring the browser warnings. (Duh.) So that's the issue, really: we should auto-direct to https and prevent insecure connections by non-technical users, or by technical users (I really am one, I promise!) who aren't thinking straight.

danielballan commented 7 years ago

See #51 for redirect and #52 for cert renewal.