Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS warning in production #1422

Closed
Twixes opened this issue Aug 13, 2020 · 2 comments · Fixed by #1437
Closed

HTTPS warning in production #1422

Twixes opened this issue Aug 13, 2020 · 2 comments · Fixed by #1437
Labels
enhancement New feature or request

Comments

@Twixes
Copy link
Member

Twixes commented Aug 13, 2020

Is your feature request related to a problem?

It should be emphasized that PostHog should be ran in production with TLS.

Describe the solution you'd like

A fixed bar – similar to the debug one – warning that TLS (https://) is a must when running over http:// with DEBUG false.

Additional context

This was suggested by @mariusandra in the onboarding rework Figma document.

Thank you for your feature request – we love each and every one!
@Twixes Twixes added enhancement New feature or request Dev Experience labels Aug 13, 2020
@paolodamico
Copy link
Contributor

I'll update the Figma on #1408 with the suggestions, to push more on users setting up TLS correctly. I still think that we should allow users to continue even without TLS on the setup because sometimes you might have to wait a bit (e.g. if the CA hasn't issued the certificate), and therefore having this extra banner would be great!

@mariusandra
Copy link
Collaborator

mariusandra commented Aug 13, 2020
edited
Loading

Agreed that posthog should definitely run over HTTP as well. This situation is very common if you're setting up the server manually to try it out. We should just tell the user of the tradeoffs with a big enough warning label that saves our ass if someone gets MITM'd this way.

In fact, restricting access on HTTP and just allowing HTTPS is almost impossible. Since TLS is handled outside posthog, we have no way of knowing for certain if it's behind a HTTPS proxy or not.

@Twixes Twixes linked a pull request Aug 15, 2020 that will close this issue
Add "no TLS in production" warning bar (closes #1422) #1437
Merged
Twixes added a commit that referenced this issue Aug 17, 2020
@Twixes
Add "no TLS in production" warning bar (closes #1422) (#1437)
606dcfa 
* Add tls-bar

* Clean up bar

* Update class names and notice

* Refactor for code quality
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add "no TLS in production" warning bar (closes #1422) PostHog/posthog
3 participants
@mariusandra @Twixes @paolodamico