Closed akolotov closed 6 years ago
I would suggest that we only enable http
compile-time so that there is no easy "escape hatch" for not enforcing https.
I am using parity nodes configured as private networks for bridge testing, so, it is not only for compile-time.
As per recommendation from a team provided security audit for POA bridge it is needed to force https connection for RPC communications.
In other words RPC connection must not succeed if HTTP is used and the bridge instance must stop.
For testing purposes a new parameter like
force_https
could be introduced in the configuration file. It's value should beyes
by default. If it is necessary to use HTTP connection instead of HTTPS the parameter needs to be set tono
.