Migrate to HTTPS
jacksonj04 opened this issue · comments
Via Google Webmaster Tools:
To owner of http://research.mysociety.org,
Starting October 2017, Chrome (version 62) will show a 'NOT SECURE' warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type="text" > or < input type="email" >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.http://research.mysociety.org/
The new warning is part of a long term plan to mark all pages served over HTTP as 'not secure'.
Here’s how to fix this problem:
Migrate to HTTPS
To prevent the “Not Secure” notification from appearing when Chrome users visit your site, only collect user input data on pages served using HTTPS.
I'm not entirely familiar with the necessary process for this, but am happy to do the wiki reading to figure it out (I don't believe it's anything too nasty). @sagepe, can you foresee a problem with this? Does the submodule-pulling for static research projects cause an issue with this?
I think it should be fairly straightforward, although there's a redirect in the local httpd.conf that should probably be adjusted along with the usual bits.
This is the email sign-up form triggering this right? Would be good to avoid if that's going to start next week.
I've added a certificate, set https and https_only in the deployment JSON and redeployed the site, it seems OK to a quick review you might want to give it a once over to confirm it's all fine.
Note there were local changes to general.yml that need checking and committing - I'll leave this for you to review and sort out.