Our DjangoCMS site is accessible via http and https.
Anonymous usage via http is ok. But I want to disable logins via http.
Is there a way to force the usage of https as soon as the user wants to login?
Even the login-page (with username and password fields) should not be available via http.
Background: I don't want the password to go over the wire unencrypted.
Update: The site gets hosted on an apache web server.
As I already mentioned it in the comments I strongly suggest you to NOT only serve the login page via https
.
Doing so just hides the fact that for example session information and authentication data is still transfered on the other requests unencrypted via http
. Your site will not be secure at all.
You're just pseudo-securing stuff so it's fancy to somebodys eye. It's just like using the password 12345
.
So please serve your website over https
to the user. A small guide, for nginx or apache2, on how to redirect your traffic from http
to https
can be found here: