Auto-Created Login page should require HTTPS by default

By Justin James on 9 Dec 2017

Noticed that when I create a new Application, the "Login" page generated by the platform does NOT require HTTPS. This is a "worst practice". People count on the platform being secure BY DEFAULT and this is a major security breach.


Rui Covelo12 Dec 2017

Hello Justin,

I know it's not the same thing but you can enable forcing HTTPS for screens in web applications and HSTS under Lifetime. This covers most cases, right? 

Justin James12 Dec 2017

I've been using Lifetime since... well, since around a few months after it was first released.

I have NEVER seen that setting before. I only found it because your message made me look for it. It is BURIED.

That is simply not good enough. :(


J.15 Dec 2017

Imho http should not possible anymore.

Rui Covelo15 Dec 2017

That would be nice. Unfortunately setting up an HTTPS configuration that is widely accepted is not as easy it should be. On one hand, it's getting easier to generate or request certificates. But at the same time, browsers are getting pickier (for good reasons) about the type of certificates and encryption they accept making it harder for anyone trying out the platform. We have also to be sure not to break (too much) compatibility with older systems and implementations.

So going full-on HTTPS is something we want but that we have to carefully consider.

Justin James15 Dec 2017

Almost all mobile apps (and all OutSystems mobile apps) are 100% HTTPS... there's no reason desktop can't be either. Especially with the move to the OutSystems cloud where the certs are good and included in the bundle.

The only places I see HTTPS being an issue are on-prem installations that insist on using self-generated certificates or don't bother with it at all. And those places should feel PUNISHED for their bad decisions by having this thing need them to jump through hoops to make it work. Instead of the rest of us being punished to have default settings that make these customers happy.

Same reason why Advanced SQL doesn't let you access the OSUSR tables directly without a lot of work... security should be job #1.