On Jun 30, 2017, at 11:42 AM, Richard Hipp <[email protected]> wrote:
>
> Trunk now contains a "Security Audit" page whose purpose is to review
> the countless settings and configuration options in Fossil and try to
> sniff out undesirable misconfigurations.
Yay!
Does it automate the permission sanity checks I posted to the -users list once
upon a time?
https://www.mail-archive.com/[email protected]/msg22473.html
A possible improvement: its check for the forced-HTTPS option should be smart
enough to try connecting to $hostname on port 80 to see if it gets an immediate
redirect to port 443, and if so, suppress the warning. I haven’t had this
setting enabled on my repos because I enforce HTTPS at the front-end proxy
layer on my public Fossil instances.
Obviously there’s an easy workaround: enable the setting to placate the tool,
but I don’t *like* placating tools. :)
_______________________________________________
fossil-dev mailing list
[email protected]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
