search

spinalcordmri / spinalcordmri.github.io

Web site of spinalcordmri organization.
https://spinalcordmri.github.io/
0 stars 3 forks source link

Add security #69

Closed alexfoias closed 3 years ago

alexfoias commented 3 years ago

Fixes #68.

The problem seems to come from the image on the home page Implemented some solutions from here: https://blog.webjeda.com/jekyll-ssl/ I also enforced ssl from GH settings, but we are using a custom domain. When tested in local I cannot see the page secured (maybe because of custom main). Maybe we can push the changes to master and than check if they do the job.

Maybe @Drulex has better suggestions.

Drulex commented 3 years ago

The warning will show up if the page delivers anything over an unsecure channel. One quick way to detect what is non-secure is to filter the html source for stuff (links, images) using http urls. I see a few on the main page:

<link rel="canonical" href="http://www.spinalcordmri.org/"> -> canonical url of page. I think 3ea0ca44feb33e1e5ccb8260186147cb36277e82 should fix this. <link type="application/atom+xml" rel="alternate" href="http://www.spinalcordmri.org/feed.xml" title="Spinal Cord MRI"> link to rss feed <a href="http://forum.spinalcordmri.org" target="_blank">Forum</a> -> link to forum <img src="http://www.spinalcordmri.org/assets/cover_spinalcordmri_book.jpg" alt="My helpful screenshot" style="float: left; margin-right: 25px"> -> the picture on the main page. I assume 3ea0ca44feb33e1e5ccb8260186147cb36277e82 should fix this as well.

@alexfoias Does https://spinalcordmri.org/ already include your changes?

You can use the web developper tools in your browser (F12), open the html inspector and look for http urls.

alexfoias commented 3 years ago

@Drulex The current online version doesn't include my change. I tried to build it locally, but I cannot see the secured pages.

Drulex commented 3 years ago

I cannot see the secured pages

Do you mean you can't see the page at all or that the page is still insecure? Basically any http in the repo needs to be replaced with https directly or indirectly.

alexfoias commented 3 years ago

I mean when running: bundle exec jekyll serve

Drulex commented 3 years ago

I mean when running: bundle exec jekyll serve

jekyll serve will serve over localhost which is not the domain on the certificate (spinalcordmri.org), therefore it cannot verify your changes with that.

You could add an entry to your hosts file such as: 127.0.0.1:4000 spinalcordmri.org to fool the browser into making the SSL connection (although I'm not 100% sure all cases would be covered, it's better to test with the real web server)

But like I said, all non-https URLS in the codebase would need to be changed first to be https.

If you want you can assign this to me.

alexfoias commented 3 years ago

@Drulex Yes, you can do the changes.

@jcohenadad Is it okay if @Drulex fixes the non-https URLS in the codebase ?

Drulex commented 3 years ago

Implemented some solutions from here: https://blog.webjeda.com/jekyll-ssl/ I also enforced ssl from GH settings, but we are using a custom domain.

Just took a look at link above and since we are using a custom domain I don't think github pages can serve the SSL. We can give it a try by merging this.

alexfoias commented 3 years ago

@jcohenadad @Drulex Should we give it a try and merge ?

alexfoias commented 3 years ago

@jcohenadad Could you please approve this PR to give it a try ? thanks