xapian websites available via https
Olly Betts
olly at survex.com
Mon Feb 1 01:38:00 GMT 2016
On Sun, Jan 31, 2016 at 01:51:21PM +0000, James Aylett wrote:
> Some links within Mailman (particularly archives) will still go to
> http, because it doesn’t seem to have any configuration options for
> getting this right. As far as I can tell, neither Mailman nor Trac
> supports issuing secure-only cookies (which is why moving to HSTS is
> important).
I found the option for trac - it's "secure_cookies = true" in the
"[trac]" section of trac.ini, and is now enabled. This only seems to
affect new cookies (i.e. trac doesn't resend existing cookies such that
the browser upgrades them to being flagged as "secure"), but the cookies
are session cookies, so will expire when the browser gets restarted.
You can go and delete the existing cookies by hand if you want to
refresh them sooner.
It looks like mailman >= 2.1.15 should automatically send "secure"
cookies if web_page_url has an "https" scheme, but this doesn't seem
to happen for some reason, at least on lists.xapian.org.
Cheers,
Olly
More information about the Xapian-discuss
mailing list