[ic] AlwaysSecure ExtraSecure issue

Paul Jordan paul at gishnetwork.com
Fri May 3 16:18:11 UTC 2013

It appears that Interchange doesn't actually intercept requests for pages in 
AlwaysSecure and tells Apache to deliver them under https. I think this is 
not news. ExtraSecure, I believe, is suppose to treat a http:// requested 
page listed in AlwaysSecure as a missing page - it just refuses to 
acknowledge the pages existence.

That's cool. However, it appears that if you remove the '.html' and append a 
'/' to a page in AlwaysSecure, Interchange will deliver the page via http

AlwaysSecure  login foo bar
ExtraSecure 1


In my experience, this will deliver login.html over http only. I had to add 
'login/' to AlwaysSecure to get the treatment back. I stumbled upon this in 
trying to figure out how to force a page being requested externally, is 
delivered in https.


More information about the interchange-users mailing list