Possible Security Flaw in mano Package

[bicarlsen]

Hello,

I am helping a friend get your platform set up, so was going through the code. I noticed in the mano/sync/__init__.py in the download() function on lines 130 - 141 you send all the information required to download patient data in clear text (i.e. all the POST data).

It seems this could lead to security breach if a malicious actor is able to sniff the packets containing this information. If I remember correctly you require SSH protection for sites using your platform, but you may also want to consider changing this, if possible, as an added layer of protection.

[tokeefe]

All Beiwe instances should be running over HTTPS. The Beiwe installation guide walks users through setting that up. Any requests from mano will ultimately go out to whatever URL you have defined in your keyring URL field, which should begin with https://. But even if you supply http:// there should be a redirect to https. Does this answer your question?