Skip to content

Add configuration for allowing http connection during development #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
svenzik wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add configuration for allowing http connection during development #81

svenzik wants to merge 6 commits into from

Conversation

@svenzik
Copy link
Contributor

@svenzik svenzik commented May 30, 2025
edited
Loading

WE2-967

  • Replace http with https when origin is loopback
  • Remove prefix __Host- from cookie key, when using http as that requires https connection

Signed-off-by: Sven Mitt [email protected]

@svenzik svenzik force-pushed the WE2-967-allow-http branch from a9ab5dd to 3d24ee2 Compare June 9, 2025 07:23
@mrts mrts force-pushed the WE2-967-allow-http branch from 481f3f3 to c6c03fd Compare June 13, 2025 08:47
mrts
mrts requested changes Nov 13, 2025
View reviewed changes
example/src/main/java/eu/webeid/example/config/YAMLConfig.java
if (StringUtils.endsWith(localOrigin, "/")) {
throw new IllegalArgumentException("Configuration parameter local-origin cannot end with '/': " + localOrigin);
}
if (StringUtils.startsWith(localOrigin, "http:")) {
Copy link
Member

@mrts mrts Nov 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel uneasy about doing this so directly, folks may start copy-pasting this into their code without thinking.

Can we perhaps use a special profile enable-http and add thorough comments to make it absolutely clear that this should not be used in production? Or am I too paranoid, do we want to assume abusing the loopback address is impossible?

@mrts mrts force-pushed the WE2-967-allow-http branch from 0f9d6ab to 8c34c66 Compare November 13, 2025 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrts mrts mrts requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@svenzik @mrts