[aur-general] Securing the AUR website
thomas at archlinux.org
Sun Aug 7 05:31:58 EDT 2011
Am 06.08.2011 14:32, schrieb Lukas Fleischer:
> For all tl;dr guys around. This is my proposal:
> * Use HTTPs links by default (this is already implemented).
> * Enable secure cookies.
> * Disallow HTTP login (or at least print a big, fat warning if a user
> tries to login via HTTP).
I would really go with "disallow". Don't even show a login form, just a
link that directs to https _before_ being able to enter a password.
> * Possibly use HSTS.
> This should fix all possible vulnerabilities related to HTTPs we can
> actually fix. Let me know if I missed something.
Yes, the list looks complete.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 262 bytes
Desc: OpenPGP digital signature
More information about the aur-general