A cookie with your coffee?

[fraenkiman]

Hello everyone,

FlatPress supports both HTTP and HTTPS connections.
However, HTTP connections pose an increased security risk.
@prbt2016 has noticed that when using an HTTP connection, FlatPress equips the cookies with incorrect attributes and flags. As a result, it is not possible to log in to the admin area because the browser rejects the fp-sess, fp-user and fp-pass cookies.

This raises the question of whether FlatPress should still support HTTP connections in development and productive operation in the future. I have created an issue about this.

What do you think about this?

Don't eat so many cookies!

With best regards
Frank

[Arvid]

Hi, interesting topic and worth discussing.

My 2 cents: Yes, FlatPress should work on HTTP-only servers. There might be reasons we don't know (testing, internal use, you name it) - we should leave every user the freedom of choice. But of course we'll keep encouraging users to go secure!

What do the others think?
Are you running FlatPress HTTP-only - and why?

Happy to receive your opinions!
All the best,
Arvid

[Arvid]

Feedback by Felix on Mastodon:

On some hosts there may be no choice. For example InfinityFree doesn't seem to provide automatic HTTPS on free accounts.