Add 'secure' option for Routes

[lonnieezell]

There should be a way to enforce that a route can only be reached through HTTPS. This would be passed as an option to that route (or route group). If it's accessed via HTTP then it should be redirected to HTTPS.

[sv3tli0]

++

Projects as "letsencrypt.org" soon will give a free valid HTTPS option for all websites.
1 Route, Route Group or even the how app should has option to support only HTTPS requests. (perhaps the app should make and a proper redirection to HTTPS in all cases when the server doesn't do that at 1st place).
Its a good way to motivate people to push their apps to HTTPS and with that this will help improving security all over the net..

You know that some big companies are forcing anyone who is using their systems to have HTTPS already and this is 1 big +. In CI case of course it should be optional.

[narfbg]

A possibly helpful note: If you choose to do this via an HTTP redirect, make sure to use the 308 status code, which preserves the request method, i.e. won't change a POST to GET and destroy a submitted form's data.

https://tools.ietf.org/html/rfc7238

[lonnieezell]

@narfbg Excellent reminder. I probably would have forgotten that. Thank you.

[lonnieezell]

Notes to self:

• The SessionID must be regenerated when we switch from HTTP to HTTPS.
• Should attempt to use HTTP Strict Transport Security to enforce the switch. (Need to verify browser support)

[lonnieezell]

@narfbg As far as I can tell 308 is still not approved. Seems Firefox at least supports it, but unsure of the rest of the browsers. Looks like Google had a 308 used for resumable requests in their now-defunct Gears project. I cannot find a list of browser support for the different status codes.

Are you aware of a resource that tells us how much support 308 can expect? I'm currently using the default redirect option of 302/307 depending on request type but would like to move to 308 if we know it's supported.

[narfbg]

Hmm ... looks like I've overlooked the status of that RFC.

Experimental basically means that research and development efforts are in progress, but you can't reasonably expect support for it in production. For this one in particular, browsers should fallback to another 3xx code if they encounter a 308 and don't understand it, but some may refuse to process it at all.

[lonnieezell]

Alright, I'll leave this to the default 302/307 option, then, and we can keep an eye on things in the future. Thanks.

[narfbg]

On another note, this end result may be for the best in this particular case.

If there's e.g. a CSRF token in the message body for an unencrypted POST request, it's probably not a good idea to just redirect the same message body contents to a secure connection - we just had it over a non-httpS one, so it may've been intercepted. Better let the page generate a new token to be used under httpS. :)

[lonnieezell]

Oh dang. Yeah, good call! :)