thelonecuber at March 8th, 2015 05:41 — #1
When I switch on HTTPS for a Webhook website the CMS assets fail to load due to mixed protocols...
The page at 'https://www.######.com/cms#/wh/' was loaded over HTTPS, but requested an insecure stylesheet 'http://cms.webhook.com/v2/assets/app.min.css'. This request has been blocked; the content must be served over HTTPS.
I can't see anything in the Docs or forums about HTTPS. Is there any workaround for this?
ltsquigs at March 10th, 2015 17:07 — #2
Right now HTTPS is not supported by webhook.
dkenzik at March 10th, 2015 17:23 — #3
Isn't Webhook's limitation due to Google not supporting HTTPS access to static buckets?
ltsquigs at March 10th, 2015 17:45 — #4
Yes thats more or less the crux of it.
We may eventually support HTTPS to our Proxy (because when using a custom domain you are going to our proxy which goes to google cloud storage), but this would not solve the problem where some assets from google cloud storage are served from non HTTPS.
I should point out while the static files are not stored on HTTPS, that does not mean webhook is not secured. All authentication/communication with Firebase is done over HTTPS (or WSS which is HTTPS for websockets), so no sensitive information is transferred over an unsecure domain.
Likewise our billing server is hosted outside of cloud storage and is hosted through HTTPS so that is all secure as well. (A long with all communication with stripe being over HTTPS).
dkenzik at March 10th, 2015 18:04 — #5
If Webhook allows SSL installs for custom domains, and your proxy in front of Google supports SSL, then it seems trivial after that.
Assets could just be referenced without the protocol then, right? eg:
Of course, I may be way off base after a few afternoon brews...
I'll certainly need to use this feature at some point, so I look forward to a solid solution.
eduardo at March 10th, 2015 18:20 — #6
I am not sure HTTPS is necessary, as WH sites are static. There's no backend and no forms you can create with it, so no sensitive information can even be captured with it. Even if you make your own forms, they would have to post to a HTTPS site (subdomain maybe), which would have to be hosted somewhere else.
budparr at March 10th, 2015 18:33 — #7
Funny that GCS doesn't offer SSL on Cloud Storage since they've become a notable proponent of SSL.
Cloudflare may be of help here. Here's a blog post about using Cloudflare's (free!) SSL service on Github pages, and I think if it would work on Github it'd work anywhere. Note, I've not tried this yet, but intend to soon.
budparr at March 10th, 2015 18:35 — #8
one quick note - I'm a big fan of cloudflare, but had a recent conversation at the NY Web Performance Meetup about whether or not routing a static site through their network is a benefit or drag on performance.
dkenzik at March 10th, 2015 18:40 — #9
@budparr - I believe they do "offer" SSL, but you have to use their API to consume the assets in your app, rather than a direct call to the asset.
@Eduardo - Technically, you are right. But, IME, clients' audiences feel much more comfortable when using SSL (they don't know it's static anyway.)
And as an added bonus, I believe you get better weighting in Google's search algo's if you have SSL installed.
thelonecuber at March 10th, 2015 18:51 — #10
@LtSquigs — Owch... that hurts.
@budparr — Wow, that's interesting. I use Cloudflare a lot, and with SSL always. Not just for performance though; Google search results are said to smile a little wider on SSL sites.
@Eduardo — I use the brilliant http://formspree.io/ for static forms. And agree with @dkenzik all the way — clients and their visitors feel much more comfortable using SSL.
@dkenzik — I saw that cms.html calls assets via protocol-specific absolute URLs. I had a quick play around modifying them to protocol-free // addresses, but I get the feeling some of the minified JS files might also reference absolute http://webhook.com assets. It was late at night and my daily brew had worn off though, so I didn't get far.
budparr at March 11th, 2015 08:53 — #12
Hey guys, I tried the Cloudflare free SSL out on my site last night and it works well. The rules are a bit tricky because we're forwarding the root domain to www and making sure that they go through https, so I may still need to adjust (I have one test failing right now), but beyond that it works well and I got no certificate warnings.
Note though, that the free SSL is only on the Cloudflare side, as it's, obviously, not on your server, so this is for lightweight use only; not where you're passing sensitive data around. I figure you guys know that, but thought it worth noting.
And, worth noting that thanks to the site being super fast static there's no discernible performance hit (actually, maybe 50-100ms as far as I can tell with a quick check on pingdom)
eduardo at March 11th, 2015 18:39 — #13
@budparr Is the SSL in the free tier new? Last time I looked at CF, SSL was only in their paid plans.
budparr at March 11th, 2015 18:52 — #14
sometime within the last few months. And I think they're really beefing it up, including on the free tier. Their network benefits from having more sites on it, so they're pretty smart about this sort of thing.
eduardo at March 11th, 2015 18:59 — #15
@budparr Thanks for the info, I will have to revisit Cloudflare again soon
thelonecuber at March 11th, 2015 19:16 — #16
@budparr And the CMS obviously works fine too? Did you have to wrangle any core code? The core assets load from http:// protocols don't they?
@Eduardo Yep Cloudflare are incredible. https://blog.cloudflare.com/introducing-universal-ssl/
budparr at March 11th, 2015 20:47 — #17
it's seems to work on https, but I've been experimenting and thinking to figure out what the best approach would be. Maybe I'll write something up when I have.
rdwatters at March 13th, 2015 03:14 — #18
We just made the switch to https at my full-time gig. What a PITA.
Not sure how the embedly api is configured within the widget, but here's the skinny on
Formkeep sends your form data over https. Firebase is over https, and the CMS is OAuth2, I think. The biggest threats to sites like these is XXS/MITMA, no? Those strike me as non-issues with no business logic or RDBMS.
TSL/SSL isn't 100% secure.
@dkenzik Yup, it helps SEO.
@budparr I believe all Github pages moving forward are https already, no? But maybe that's only for xxx.github.io, which isn't so awesome.
simeon at January 27th, 2016 17:35 — #19
So ... any updates on this? HTTPS is becoming increasingly important. Is there a recommended way of using https on Webhook?
bauhem at February 2nd, 2016 22:29 — #20
I have managed to do this with CloudFlare. You can see a report here : https://www.sslshopper.com/ssl-checker.html#hostname=coffretsduroyaume.com
Really easy to setup via Cloudflare admin.
simeon at February 3rd, 2016 01:17 — #21
Thought I had read that Cloudflare SSL wasn't "real" SSL...
next page →