PAWS does not enforce HTTPS
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	WikidataFacts
	Dec 7 2016, 10:45 PM

Description

PAWS is quite happy to let you access it over plain HTTP – in fact, your session remains valid across protocols, so you don’t even need to log in, your token will just silently remain valid after you sent it for all the world to see :/

Suggestion: redirect all HTTP requests to HTTPS with 301 Moved Permanently, send an HSTS header (e. g. Strict-Transport-Security: max-age=2592000, one month), and if possible invalidate any token that was sent over plain HTTP (e. g. if the max-age expired or the browser doesn’t support HSTS).

Event Timeline

WikidataFacts created this task.Dec 7 2016, 10:45 PM

WikidataFacts updated the task description. (Show Details)Dec 17 2016, 1:32 PM

zhuyifei1999 subscribed.Dec 17 2016, 2:01 PM

• Tbayer subscribed.Apr 17 2017, 9:43 PM

This seems to no longer be the case. I'm unsure when it stopped being so.

PAWS does not enforce HTTPSClosed, ResolvedPublicActions

Description

Event Timeline

PAWS does not enforce HTTPS
Closed, ResolvedPublic
Actions