[aur-general] Securing the AUR website

Thomas Bächler thomas at archlinux.org
Sun Aug 7 05:31:58 EDT 2011

Am 06.08.2011 14:32, schrieb Lukas Fleischer:
> For all tl;dr guys around. This is my proposal:
> * Use HTTPs links by default (this is already implemented).
> * Enable secure cookies.
> * Disallow HTTP login (or at least print a big, fat warning if a user
>   tries to login via HTTP).

I would really go with "disallow". Don't even show a login form, just a
link that directs to https _before_ being able to enter a password.

> * Possibly use HSTS.
> This should fix all possible vulnerabilities related to HTTPs we can
> actually fix. Let me know if I missed something.

Yes, the list looks complete.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20110807/dfda63fe/attachment.asc>

More information about the aur-general mailing list