[ic] RFC: New AlwaysSecureGlob directive

Jon Jensen jon at endpoint.com
Sun Mar 26 00:38:36 UTC 2017

On Sun, 26 Mar 2017, Peter wrote:

> On 26/03/17 12:56, Jon Jensen wrote:
>> The AlwaysSecure directive requires an exact match of the page name and 
>> it's not possible to enumerate all the admin URLs or ActionMaps that 
>> should be generated secure-only, so this new directive makes that 
>> possible with wildcard matching.
> I like this idea but I think it's time is fast passing. 
> Recommendations nowadays (especially with pushes from Google, etc) are 
> that the *entire site* should be served up as https, and this is easily 
> done with an httpd redirect and setting VendURL to https://... So with 
> that in mind specifying which pages should always need to be secure 
> becomes a bit pointless.

I agree that the time is fast passing, and on every new site we make we do 
use HTTPS only. Much simpler all around.

But for many legacy sites it's still going to be years before we can do 
that due to numerous dependencies on the plain HTTP URLs.

In the meantime the old AlwaysSecure directive just doesn't work for huge 
classes of URLs and I keep finding legacy sites where internal admin URLs 
are pointing to plain http: and then getting redirected back to https, 
leaking data along the way or failing if ExtraSecure is set.


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list