[wp-trac] [WordPress Trac] #28521: FORCE_SSL constant for really forcing SSL

WordPress Trac noreply at wordpress.org
Wed Sep 19 20:08:11 UTC 2018


#28521: FORCE_SSL constant for really forcing SSL
-------------------------------+---------------------
 Reporter:  johnbillion        |       Owner:  (none)
     Type:  task (blessed)     |      Status:  new
 Priority:  normal             |   Milestone:  4.9.9
Component:  Security           |     Version:
 Severity:  normal             |  Resolution:
 Keywords:  needs-patch https  |     Focuses:
-------------------------------+---------------------
Changes (by westonruter):

 * milestone:  Future Release => 4.9.9


Comment:

 As [https://wordpress.slack.com/archives/C0AHSFXSA/p1536787151000100
 posted] in Slack (in the newly-secured
 [https://wordpress.slack.com/messages/C0AHSFXSA #core-https] channel), I
 did a quick reflection on what would make sense as part of 4.9.9:

 1. Detect whether HTTPS is available (by doing loopback request).
 2. Default to setting `home` and `siteurl` to HTTPS when installing
 WordPress (if HTTPS is available).
 3. If HTTPS is not enabled, show a warning notice about why it is
 important. Include link to Codex page.

 Stretch goals for 4.9.9:

 4. Add checkbox under Home and Site URL fields to opt user into HTTPS
 (even when `WP_HOME` and `WP_SITEURL` constants are set); doing so would
 force HTTPS via filters on `home` and `siteurl` options, respectively.
 5. Scrape content of homepage to see if there are any external HTTP
 resources which would fail if switched to HTTPS, and show warning.
 6. Add redirect from HTTP to HTTPS for requests that don't already do this
 via `redirect_canonical()`.
 7. Add `Content-Security-Policy: upgrade-insecure-requests` response
 header if HTTPS is enabled. This is supported in all browsers other than
 IE11 and avoids the need to do messy s/http/https/ string replacements in
 `the_content`, enqueued scripts/styles, etc.
 8. Add HSTS response header.

 Thoughts? Anything else I'm forgetting?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/28521#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list