Need to use permanent redirects and do https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
I have created https://github.com/wso2/carbon-uuf/issues/190 On Mon, Feb 6, 2017 at 12:25 PM, Kasun Thennakoon <[email protected]> wrote: > Hi all, > > We are thought of doing the $subject since the publisher and store apps > are built on top of REST APIs and most of the data transfers happen from > client side JS.In each REST API call from the swagger-client, send the > accesses token in the headers wich would be not good if we send them over > HTTP. > So the idea is to redirect all the HTTP request to HTTPS automatically.So > that we make sure cookies are transferred in a secured manner. > > 1. Further Is it ok to close the HTTP port(9090), and only allow > HTTPS(9292) connections for publisher and store apps? > 2. Is there a way we can achieve this from UUF? > > By going through the code[1] if was able to redirect the users to HTTPS in > following way. > > if (!env.request.isSecure()) { > var local_address = env.request.getLocalAddress(); > var uri = env.request.getUri(); > > var secured_port = env.getSecuredPort(); // hypothetical > var redirect_to = "https://"; + local_address + ":" + secured_port + uri; > sendRedirect(redirect_to); > } > > > To share the code with other request handlers we can put it into a module > and include in all the relevant pages. > But if we have a way to achieve this[2], We can use the same method here > to redirect users to secure URLs. > Or should this be handled from carbon transport level? > > [1]: https://github.com/wso2/carbon-uuf/blob/master/ > components/uuf-core/src/main/java/org/wso2/carbon/uuf/spi/HttpRequest.java > [2]: [Dev] [UUF] Common "OnGet" method for all requests for a particular > app > > Thanks! > -- > *Kasun Thennakoon* > Software Engineer > WSO2, Inc. > Mobile:+94 711661919 > -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
