search

ndarville / pony-forum

A modern alternative to ancient forum CMSes like vBulletin and PHPBB in Python on Django. (Alpha stage.) (NB: dotCloud have since removed their free Sandbox tier.)
http://pony-forum.com
26 stars 7 forks source link

SSL-proxying for user-submitted, non-SSL content #115

Closed ndarville closed 11 years ago

ndarville commented 11 years ago

When people post content not supported by SSL—e.g. http:// images from imgur—a mixed-content warning will appear, which could also pose a security risk.

Mitigation:

  1. https://news.ycombinator.com/item?id=5514902
  2. https://github.com/blog/743-sidejack-prevention-phase-3-ssl-proxied-assets

Discussion:

  1. https://news.ycombinator.com/item?id=5514344

Related:

  1. http://www.piware.de/2011/01/creating-an-https-server-in-python/
ndarville commented 11 years ago

It looks like this is already handled in Django, as long as you remember to assert the settings: https://docs.djangoproject.com/en/dev/topics/security/#ssl-https.

ndarville commented 11 years ago

Links:

  1. https://django-secure.readthedocs.org/en/latest/settings.html
  2. https://django-secure.readthedocs.org/en/latest/middleware.html#proxied-ssl
  3. https://docs.djangoproject.com/en/dev/ref/clickjacking/
  4. https://docs.djangoproject.com/en/dev/topics/security/#ssl-https
  5. http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
ndarville commented 11 years ago

Closed for now after f0c4ad0b486b77083b1899727aa5886f8cd23588.