Secure entire site
I want my entire website to be secure, both frontend and backend pages. I could go through each of the pages and set the flag to require SSL but that's a lot of work. Any issue with just doing it directly in the database (other than it's probably considered taboo).
Are there any known issues with making all the backend pages secure? Alternatively, I could just make the frontend pages secure because those are the ones I'm most concerned about, but figured while I'm at it, I may as well make them all secure.
UPDATE
sf_page_data
SET
require_ssl = 1
Hello Eric,
You can set the RequireSSL property for all pages using our Pages API
Please find below a code sample I've prepared for you which should accomplish this task:
App.WorkWith().Pages()
.Where(p => p.Page !=
null
)
.ForEach(p =>
p.Page.RequireSsl =
false
;
).SaveChanges();
Eric,
Can I ask why you're looking to do that in the first place? Keep in mind that requiring SSL won't make your site more secure, simply the connection that the user has to your server. If you're currently running anything that may pose a security risk, it'll still be a security risk after the proposed modifications are made. Also, you may be alright with your server having a bit more processing to do but your users will feel it too as content delivered via SSL isn't (isn't supposed to be...) cached.
Login pages, backend pages and anything with sensitive data should be the only thing that you would need to require SSL for.
Either way, good luck!
I disagree with your statement that it won't make the site more secure. It reduces the chances of session hijacking and man-in-the-middle attacks. The site would still be vulnerable to other attacks.
But that's not the reason. This would be in an attempt to reduce the likelihood of running into the confirmed Sitefinity bug that causes Internet Explorer to show the "This page cannot be displayed" error page when being redirected from an HTTPS to an HTTP page. If all the pages on the site are on HTTPS, I would never redirect to a page over HTTP and thus avoid this bug.
I hope they fix this bug in 4.4.
Eric