Secure entire site

Posted by Community Admin on 03-Aug-2018 22:47

Secure entire site

Sitefinity - General Discussions

All Replies

Posted by Community Admin on 15-Nov-2011 00:00

I want my entire website to be secure, both frontend and backend pages. I could go through each of the pages and set the flag to require SSL but that's a lot of work. Any issue with just doing it directly in the database (other than it's probably considered taboo).

Are there any known issues with making all the backend pages secure? Alternatively, I could just make the frontend pages secure because those are the ones I'm most concerned about, but figured while I'm at it, I may as well make them all secure.

UPDATE sf_page_data SET require_ssl = 1

I'm not concerned about the overhead on the web server of encrypting pages.

Thanks,
Eric

Posted by Community Admin on 18-Nov-2011 00:00

Hello Eric,

You can set the RequireSSL property for all pages using our Pages API
Please find below a code sample I've prepared for you which should accomplish this task:

App.WorkWith().Pages()
                          .Where(p => p.Page != null)
                           .ForEach(p =>
                                       
                                           p.Page.RequireSsl = false;
                                       ).SaveChanges();
unless explicitly specified PageLocation (e.g. .LocatedIn(Telerik.Sitefinity.Fluent.Pages.PageLocation.Backend) the code will travrse through all pages and set their RequireSSL property to true.. As an alternative approach I believe you might find this blog post we have recently released, useful. If you need some additional information, do not hesitate to let us know.

All the best,
Boyan Barnev
the Telerik team
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 21-Nov-2011 00:00

Eric,

Can I ask why you're looking to do that in the first place? Keep in mind that requiring SSL won't make your site more secure, simply the connection that the user has to your server. If you're currently running anything that may pose a security risk, it'll still be a security risk after the proposed modifications are made. Also, you may be alright with your server having a bit more processing to do but your users will feel it too as content delivered via SSL isn't (isn't supposed to be...) cached.

Login pages, backend pages and anything with sensitive data should be the only thing that you would need to require SSL for.

Either way, good luck!

Posted by Community Admin on 21-Nov-2011 00:00

I disagree with your statement that it won't make the site more secure. It reduces the chances of session hijacking and man-in-the-middle attacks. The site would still be vulnerable to other attacks.

But that's not the reason. This would be in an attempt to reduce the likelihood of running into the confirmed Sitefinity bug that causes Internet Explorer to show the "This page cannot be displayed" error page when being redirected from an HTTPS to an HTTP page. If all the pages on the site are on HTTPS, I would never redirect to a page over HTTP and thus avoid this bug.

I hope they fix this bug in 4.4.

Eric

This thread is closed