If I force Discourse to use HTTPS without checking every resource, what happens?


#1

I see a ton of warnings about making sure every resource is HTTPS (which I’ve done) before using force-https in the Discourse security settings. What happens if I don’t?

If my background URL in my CSS code is only HTTP, will that just fail to load until I update my CSS to a proper HTTPS link http://example.com/uploads/default/original/1x/something.jpg vs https://example.com/uploads/default/original/1x/something.jpg, or does the entire site catastrophically destroy itself?

What’s the risk if I have the padlock and SSL?


#2

You can test by going to your secured site (you might need to go incognito) and use Chrome (or similar) to inspect – then check the Security tab. It will list anything not being served over HTTPS that you may have missed.

The thing that we see frequently is social logins not redirecting to the HTTPS URL.

Once that’s validated you can force safely traffic.


#3

My site is secure, I made sure of that when my padlock wasn’t showing up.

My big question is what happens if someone were to force it regardless? Does the site become inoperable until a file update and rebuild is forced, is it impossible to connect, does it show HTTPS without actual security (like a misconfigured cloudflare)?


#4

It depends on what isn’t secure. If it’s images you’ll see a security error, if it’s an SSO redirection then SSO will fail. I imagine there are thousands of other possible outcomes depending on what the specific missing content is.

This isn’t my area of expertise. @supermathie can probably elaborate.


#5

So the non HTTPS links simply fail, because the force HTTPS is a simple “discard HTTP links” instead of a “insert a well placed S in the link”?

That makes a lot more sense, and puts me a bit at ease that there’s no network tampering, even if well intentioned.


(Michael Brown) #6

You’re pretty much on.

The behaviour depends on the browser in question, but in general I think you’re safe assuming:

  • images will load (with a warning)
  • other resources such as .js or .css will refuse to load

If you want to be extra careful before forcing SSL, visiting Chrome’s net-internals page: chrome://net-internals/#hsts and adding your domain to the STS set will let your “preview” how your browser will behave with “Force SSL” enabled:

(presumably you can do this in other browsers, I just know off hand how to do it for Chrome)


#7

Verified with a few independent sites, as well as @HAWK’s suggestion through the F12 menu, so mine’s already safe.

Good thing my CSS is 20 lines long, lol. Wasn’t much to double check around my tiny site to ensure SSL.

Thanks for the info!


(Michael Friedrich) #8

One thing you can also do to verify SSL is fully operational - do the discobot tutorial with a new user and go until the certificate is rendered. If that SVG rendering fails, this is most likely an SSL error then, meaning to say that Ruby’s SSL verification failed.

I had that once when I didn’t have OCSP configured in Nginx.