On Jun 30, 2017, at 11:42 AM, Richard Hipp <d...@sqlite.org> wrote:
> 
> Trunk now contains a "Security Audit" page whose purpose is to review
> the countless settings and configuration options in Fossil and try to
> sniff out undesirable misconfigurations.

Yay!

Does it automate the permission sanity checks I posted to the -users list once 
upon a time?

    https://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg22473.html

A possible improvement: its check for the forced-HTTPS option should be smart 
enough to try connecting to $hostname on port 80 to see if it gets an immediate 
redirect to port 443, and if so, suppress the warning.  I haven’t had this 
setting enabled on my repos because I enforce HTTPS at the front-end proxy 
layer on my public Fossil instances.

Obviously there’s an easy workaround: enable the setting to placate the tool, 
but I don’t *like* placating tools. :)
_______________________________________________
fossil-dev mailing list
fossil-dev@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev

Reply via email to