1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 "Sensitive" Parts of Xenforo

Discussion in 'XenForo Questions and Support' started by CollinL, Oct 10, 2014.

  1. CollinL

    CollinL Member


    I currently force SSL everywhere on my Xenforo site, but I figure that it doesn't really make sense especially since the SSL is "broken" on most pages due to users' images (I can't use the image proxy because it allows people to get my backend IP and my site is behind CloudFlare).

    I'm going to make it so that only pages that handle sensitive information have SSL. Currently I'm planning to force SSL in these places:

    I'm not sure how effective forcing SSL on /login is going to be as you can login to a Xenforo site on the landing page, but I guess there's not much I can do about that.

    Anyway, does anyone know other Xenforo native links where I should be forcing SSL? I'm sure I missed something.
  2. Liam W

    Liam W Well-Known Member

    Forcing SSL on some pages but not others is pointless.

    The session cookie is sent on every request, and if that is intercepted the account can be compromised.

  3. CollinL

    CollinL Member

    Okay, thanks. I think I get what you're saying. Why do sites like Amazon force SSL only in certain places then, though?
  4. Robust

    Robust Well-Known Member

    They probably have a different way of doing sessions perhaps, not sure, haven't used Amazon in a while.

    IGN do this. They enable SSL only on MyIGN (their login thing)

Share This Page