djangohttpsdjango-cms

DjangoCMS: disable login via http, force https


Our DjangoCMS site is accessible via http and https.

Anonymous usage via http is ok. But I want to disable logins via http.

Is there a way to force the usage of https as soon as the user wants to login?

Even the login-page (with username and password fields) should not be available via http.

Background: I don't want the password to go over the wire unencrypted.

Update: The site gets hosted on an apache web server.


Solution

  • As I already mentioned it in the comments I strongly suggest you to NOT only serve the login page via https.

    Doing so just hides the fact that for example session information and authentication data is still transfered on the other requests unencrypted via http. Your site will not be secure at all.

    You're just pseudo-securing stuff so it's fancy to somebodys eye. It's just like using the password 12345.

    So please serve your website over https to the user. A small guide, for nginx or apache2, on how to redirect your traffic from http to https can be found here: