Project

General

Profile

Actions
Copy link

Bug #38764

closed

Enforce HTTPS on tracker.ceph.com

Added by Ernesto Puerta about 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
David Galloway
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
1 - critical
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

ceph.com already redirects to secure endpoint and sets CSP upgrade-insecure-request (https://www.w3.org/TR/upgrade-insecure-requests/).

However tracker.ceph.com does not follow this practice, so if you miss adding the trailing -s or the plaint-text one gets cached in your browser history, you'll end up regularly sending your password/session cookies unencrypted on the wire. Could it be possible to enable HSTS or at least CSP in the Ceph tracker, and request addition to browser HSTS preload list (https://hstspreload.org)?

Actions
Copy link
 #1

Updated by David Galloway over 4 years ago

  • Status changed from New to Resolved
  • Assignee set to David Galloway

Pages in tracker.ceph.com that had the Ceph logo displayed, resulted in browsers reporting "blocked mixed content."

The custom Ceph theme had a direct link to logo.png but was using http://

I just updated the theme's stylesheet and edited nginx config to redirect http requests to https.

Actions
Copy link

Also available in: Atom PDF