I believe that HTTP administration should never even be allowed in the first place, however the current feature of allowing HTTP to be disabled does not do enough -- it is still insecure.
In short, what I want is:
1. when HTTP admin is disabled, do not even display login page
2. when HTTP admin is disabled, redirect all admin URL to the HTTPS login page
3. issue cookies that are valid for HTTPS only
4. if a valid SSL cert is in use (i.e. not self-signed), use the HSTS header with all HTTPS responses
For example, despite disabling HTTP, I can still login over HTTP and get a valid session cookie, but I am only then blocked from using the admin pages. This means that I can still accidently attempt to login over HTTP and expose my credentials, and receive a cookie that can be hijacked.
Steps:
* log out of admin
* go to HTTP root (e.g. http://10.0.0.1/)
* get redirected to HTTP admin login url (http://10.0.0.1/auth/login?url=/setu...=Administrator)
* enter admin credentials
* get redirected to HTTP is disabled page
* change HTTP in URL to HTTPS
* already logged in
In short, what I want is:
1. when HTTP admin is disabled, do not even display login page
2. when HTTP admin is disabled, redirect all admin URL to the HTTPS login page
3. issue cookies that are valid for HTTPS only
4. if a valid SSL cert is in use (i.e. not self-signed), use the HSTS header with all HTTPS responses
For example, despite disabling HTTP, I can still login over HTTP and get a valid session cookie, but I am only then blocked from using the admin pages. This means that I can still accidently attempt to login over HTTP and expose my credentials, and receive a cookie that can be hijacked.
Steps:
* log out of admin
* go to HTTP root (e.g. http://10.0.0.1/)
* get redirected to HTTP admin login url (http://10.0.0.1/auth/login?url=/setu...=Administrator)
* enter admin credentials
* get redirected to HTTP is disabled page
* change HTTP in URL to HTTPS
* already logged in