[wp-trac] [WordPress Trac] #28521: FORCE_SSL constant for really forcing SSL
WordPress Trac
noreply at wordpress.org
Wed Sep 19 20:08:11 UTC 2018
#28521: FORCE_SSL constant for really forcing SSL
-------------------------------+---------------------
Reporter: johnbillion | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.9.9
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch https | Focuses:
-------------------------------+---------------------
Changes (by westonruter):
* milestone: Future Release => 4.9.9
Comment:
As [https://wordpress.slack.com/archives/C0AHSFXSA/p1536787151000100
posted] in Slack (in the newly-secured
[https://wordpress.slack.com/messages/C0AHSFXSA #core-https] channel), I
did a quick reflection on what would make sense as part of 4.9.9:
1. Detect whether HTTPS is available (by doing loopback request).
2. Default to setting `home` and `siteurl` to HTTPS when installing
WordPress (if HTTPS is available).
3. If HTTPS is not enabled, show a warning notice about why it is
important. Include link to Codex page.
Stretch goals for 4.9.9:
4. Add checkbox under Home and Site URL fields to opt user into HTTPS
(even when `WP_HOME` and `WP_SITEURL` constants are set); doing so would
force HTTPS via filters on `home` and `siteurl` options, respectively.
5. Scrape content of homepage to see if there are any external HTTP
resources which would fail if switched to HTTPS, and show warning.
6. Add redirect from HTTP to HTTPS for requests that don't already do this
via `redirect_canonical()`.
7. Add `Content-Security-Policy: upgrade-insecure-requests` response
header if HTTPS is enabled. This is supported in all browsers other than
IE11 and avoids the need to do messy s/http/https/ string replacements in
`the_content`, enqueued scripts/styles, etc.
8. Add HSTS response header.
Thoughts? Anything else I'm forgetting?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28521#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list