Skip to content
Commit 49d521e9 authored by Till Brehm's avatar Till Brehm
Browse files

Fixed #5341 CSS Styles do not load in ISPConfig UI when no SSL is used

parent cc8a3e8a
  • My fault on this one - I feel pretty dumb, not even considering that some folks might run ISPConfig without HTTPS.

    The CSP header could still be used on HTTP sites, just remove "; upgrade-insecure-requests" from the end. I don't know how to do that in the template language right offhand (if/else or ??), so just mentioning it for now.

    Similarly, the set-cookie header could/should still be set HTTPOnly, just drop off the 'Secure' if running ISPConfig without HTTPS.

    FWIW, the HSTS header should be fine as is, it is ignored on HTTP sites.

    Edited by Jesse Norell
  • Hi Jesse, my test servers are using https too, that's why I did not notice it earlier. I'll have a look at this to see if we can modify the options for http systems. But in general, I would say that users should just enable https. I guess we should consider disabling the option to not encrypt the UI in ISPConfig 3.2.

  • I'll sumit a merge request which should handle this for http vs https.

0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment