Implement HTTPS for authentication
aliu-vmware opened this issue · 1 comments
aliu-vmware commented
Sending plaintext passwords over the internet is a massive security hole. Any site that requires authentication should implement HTTPS for basic channel security.
https://aws.amazon.com/certificate-manager/ should be able to do it.
This can probably also be done using LetsEncrypt.
sunnymui commented
In addition to the SSL certificate, you also need to force redirects to https.
Apache instructions / snippet:
https://www.namecheap.com/support/knowledgebase/article.aspx/9821/38/apache-redirect-to-https
nginx instructions / snippet:
https://serversforhackers.com/c/redirect-http-to-https-nginx