HTTPS must be forced for RPC connections

omni / poa-bridge

POA <-> Ethereum bridge for self transfers of POA native token to POA20 (ERC20 representation). Not supported. Use TokenBridge instead

https://github.com/poanetwork/token-bridge

GNU General Public License v3.0

80 stars 39 forks source link

HTTPS must be forced for RPC connections #79

Closed akolotov closed 6 years ago

akolotov commented 6 years ago

As per recommendation from a team provided security audit for POA bridge it is needed to force https connection for RPC communications.

In other words RPC connection must not succeed if HTTP is used and the bridge instance must stop.

For testing purposes a new parameter like force_https could be introduced in the configuration file. It's value should be yes by default. If it is necessary to use HTTP connection instead of HTTPS the parameter needs to be set to no.

yrashk commented 6 years ago

I would suggest that we only enable http compile-time so that there is no easy "escape hatch" for not enforcing https.

akolotov commented 6 years ago

I am using parity nodes configured as private networks for bridge testing, so, it is not only for compile-time.