Prompt to enable Force HTTPS in the wizard

(Felix Freiberger) #1

When setting up a new Discourse forum, I recently forgot to enable the force https setting :frowning:
This isn’t just a security issue, it also prevents internal HTTPS links from getting the onebox treatment.

Because this setting should usually be enabled anyway, I’d suggest that the setup wizard should prompt to enable it, at least if the user is viewing the wizard over HTTPS. (In that case, I’d even consider enabling it without prompting…)

(Jeff Atwood) #2

Not a bad idea what do you think @eviltrout?

(Robin Ward) #3

I suppose if they have HTTPS working already it wouldn’t harm to turn it on. I am afraid of users turning it on if they haven’t set it up properly yet as their site will become inaccessible.

(Felix Freiberger) #5

Maybe a careful way to push users would be this?

  • If the user is accessing the wizard with HTTPS, silently enable the setting. HTTPS is obviously working.
  • If the user is not using HTTPS, ask him to try it out – click here to switch to HTTPS, if this doesn’t work out, come back here and click skip. If this works, congratulate him and enable the setting. If it doesn’t, leave it be.

(For extra points: If the user doesn’t have HTTPS set up when the wizard exits, seed a system topic in the internal category with instructions for setting up HTTPS.)

(Jeff Atwood) #6

This may need to wait until all our hosted sites are https-on by default… but I agree that if the wizard senses HTTPS is already on then it should be turned on.

(Christoph) #7

Do I understand things correctly that force https is not necessary/irrelevant when my outer NGINX is taking care of SSL?

And if that is so, how might the suggested auto-enable feature affect such constellations?

(Felix Freiberger) #8

No, you should definitely enable the site setting in these cases! It affects many things like internal link handling and whether cookies are marked as secure.

(Vinoth Kannan) #9


Also we can display warning in admin dashboard like above.

(Jeff Atwood) #10

Are we currently displaying that warning? I agree we should if we are not!

(Vinoth Kannan) #11

No. Currently we are not displaying that warning. I will add.

(Vinoth Kannan) #12

PR created FEATURE: Display force_https warning in admin problems dashboard by vinothkannans · Pull Request #5481 · discourse/discourse · GitHub