[aur-general] Securing the AUR website
archlinux at cryptocrack.de
Sat Aug 6 08:32:01 EDT 2011
For all tl;dr guys around. This is my proposal:
* Use HTTPs links by default (this is already implemented).
* Enable secure cookies.
* Disallow HTTP login (or at least print a big, fat warning if a user
tries to login via HTTP).
* Possibly use HSTS.
This should fix all possible vulnerabilities related to HTTPs we can
actually fix. Let me know if I missed something.
More information about the aur-general