Fixed #5341 CSS Styles do not load in ISPConfig UI when no SSL is used
-
Developer
My fault on this one - I feel pretty dumb, not even considering that some folks might run ISPConfig without HTTPS.
The CSP header could still be used on HTTP sites, just remove "; upgrade-insecure-requests" from the end. I don't know how to do that in the template language right offhand (if/else or ??), so just mentioning it for now.
Similarly, the set-cookie header could/should still be set HTTPOnly, just drop off the 'Secure' if running ISPConfig without HTTPS.
FWIW, the HSTS header should be fine as is, it is ignored on HTTP sites.
-
Author Owner
Hi Jesse, my test servers are using https too, that's why I did not notice it earlier. I'll have a look at this to see if we can modify the options for http systems. But in general, I would say that users should just enable https. I guess we should consider disabling the option to not encrypt the UI in ISPConfig 3.2.
-
Developer
I'll sumit a merge request which should handle this for http vs https.