From 1505a89a63782c477f6acafb1c57f2c78cd132f3 Mon Sep 17 00:00:00 2001 From: Robbie Averill Date: Tue, 24 Apr 2018 16:42:52 +1200 Subject: [PATCH] Update to include note about auto redirect to HTTPS for basic auth --- docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md index e11507cf8..d2a892464 100644 --- a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md +++ b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md @@ -691,6 +691,11 @@ if (!Director::isDev()) { Forcing HTTPS so requires a certificate to be purchased or obtained through a vendor such as [lets encrypt](https://letsencrypt.org/) and configured on your web server. +Note that by default enabling SSL will also enable `CanonicalURLMiddleware::forceBasicAuthToSSL` which will detect +and automatically redirect any requests with basic authentication headers to first be served over HTTPS. You can +disable this behaviour using `CanonicalURLMiddleware::singleton()->setForceBasicAuthToSSL(false)`, or via Injector +configuration in YAML. + We also want to ensure cookies are not shared between secure and non-secure sessions, so we must tell SilverStripe to use a [secure session](https://docs.silverstripe.org/en/3/developer_guides/cookies_and_sessions/sessions/#secure-session-cookie). To do this, you may set the `cookie_secure` parameter to `true` in your `config.yml` for `Session`