[aur-general] Securing the AUR website
Thomas Bächler
thomas at archlinux.org
Sun Aug 7 05:31:58 EDT 2011
Am 06.08.2011 14:32, schrieb Lukas Fleischer:
> For all tl;dr guys around. This is my proposal:
>
> * Use HTTPs links by default (this is already implemented).
>
> * Enable secure cookies.
>
> * Disallow HTTP login (or at least print a big, fat warning if a user
> tries to login via HTTP).
I would really go with "disallow". Don't even show a login form, just a
link that directs to https _before_ being able to enter a password.
> * Possibly use HSTS.
>
> This should fix all possible vulnerabilities related to HTTPs we can
> actually fix. Let me know if I missed something.
>
Yes, the list looks complete.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20110807/dfda63fe/attachment.asc>
More information about the aur-general
mailing list