Bug #38764
closedEnforce HTTPS on tracker.ceph.com
0%
Description
ceph.com already redirects to secure endpoint and sets CSP upgrade-insecure-request (https://www.w3.org/TR/upgrade-insecure-requests/).
However tracker.ceph.com does not follow this practice, so if you miss adding the trailing -s or the plaint-text one gets cached in your browser history, you'll end up regularly sending your password/session cookies unencrypted on the wire. Could it be possible to enable HSTS or at least CSP in the Ceph tracker, and request addition to browser HSTS preload list (https://hstspreload.org)?
Updated by David Galloway over 4 years ago
- Status changed from New to Resolved
- Assignee set to David Galloway
Pages in tracker.ceph.com that had the Ceph logo displayed, resulted in browsers reporting "blocked mixed content."
The custom Ceph theme had a direct link to logo.png but was using http://
I just updated the theme's stylesheet and edited nginx config to redirect http requests to https.