[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Sat Aug 6 08:32:01 EDT 2011

For all tl;dr guys around. This is my proposal:

* Use HTTPs links by default (this is already implemented).

* Enable secure cookies.

* Disallow HTTP login (or at least print a big, fat warning if a user
  tries to login via HTTP).

* Possibly use HSTS.

This should fix all possible vulnerabilities related to HTTPs we can
actually fix. Let me know if I missed something.

More information about the aur-general mailing list