Make HTTPS a requirement when using the RCC or the API.
How to implement
Two small PHP files should be implemented and included in all PHP files in the rcc/ directory. These files check if a connection using SSL was made and it not the print a error message, that SSL is required for accessing this page. The two files are identical concerning the PHP code but different in its output. One should present a nice webpage based on the ressources used in the RCC pages to be used on the pages of the RCC and the other one should be implemented for the API returning a useful HTTP response header and body.
A flag in the config.yaml named debug: true/false in the RCC section should be able to disable this requirement for testing purposes. This setting should only be accessed through directly editing the config.yaml and not through scripts in the bin directory.
This also includes reasons for switching from Digest Auth to Basic Auth.
- HTTP Basic Auth over SSL is more secure that HTTP Digest Auth without SSL (e.g. no man-in-the-middle attacs)
- HTTP Basic Auth is much simpler to implement in Rangitaki and much simpler to access from applications
- SSL certificates are nowadays available for free from organisations like Let's Encrypt.
- The RCC requires the user to login to access the functions of the RCC. For this login a password is used. Password should only submitted through a SSL connection.
- When using HTTP Digest Auth passwords can only stored in plaintext. With HTTP Basic auth storing using bcrypt is possible and will be done.
The upcoming official apps should only allow https:// URLs to be entered.