HTTP security: Difference between revisions

From MoodleDocs
(secure cookies only, only http cookies, stub template)
(127.0.0.0/8 re MDL-76755)
 
(21 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{stub}}
{{Security}}
*In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
* There is a [[HTTPS conversion tool]] for converting embedded content to HTTPS.


Location: ''Administration > Security > HTTP security''
==Secure cookies only==


It is recommended to use secure cookies only when serving over [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL]. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on.


==Use HTTPS for logins==
==cURL blocked hosts list==
HTTPS encrypts the user's login data, so it's difficult to sniff out a user's username and password on the network. You will need to enable HTTPS on your server before you turn on this setting, or else you will be locked out of your site. Every web server has a different method for enabling HTTPS, so you should check the documentation for your web server.


==Secure cookies only==
This allows you to block Moodle's cURL implementation from accessing the specified hosts, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that as a minimum this is configured to prevent access to any internal network resources. The following is an example list of hosts which can be configured, which prevents access to various versions of "localhost", as well as an address commonly used by AWS and some other cloud providers to provide meta data about the server instance (169.254.169.254):
 
127.0.0.0/8
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
0.0.0.0
localhost
169.254.169.254
0000::1
 
 
 
'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to internal network endpoints to those users/services that require them.
 
==cURL allowed ports list==
 
This allows you to restrict Moodle's cURL implementation to only access the specified list of port numbers, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that this is configured to only allow standard web ports, as follows:


{{Moodle 1.9}}Moodle 1.9 onwards includes a setting for secure cookies (when using HTTPS).
80
443


==Only http cookies==
In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.


Moodle 1.9 onwards includes a setting "Only http cookies".
'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to open ports on the internal network to those users/services that require them.


==See also==
==See also==


*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=79110 Locked out] forum discussion
* MDL-55662 for removing the secure cookies only setting
 
[[Category:Site administration]]


[[Category:Administrator]]
[[de:HTTP-Sicherheit]]
[[Category:Security]]
[[es:Seguridad HTTP]]

Latest revision as of 11:56, 12 August 2023

  • In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
  • There is a HTTPS conversion tool for converting embedded content to HTTPS.

Secure cookies only

It is recommended to use secure cookies only when serving over SSL. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on.

cURL blocked hosts list

This allows you to block Moodle's cURL implementation from accessing the specified hosts, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that as a minimum this is configured to prevent access to any internal network resources. The following is an example list of hosts which can be configured, which prevents access to various versions of "localhost", as well as an address commonly used by AWS and some other cloud providers to provide meta data about the server instance (169.254.169.254):

127.0.0.0/8
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
0.0.0.0
localhost
169.254.169.254
0000::1


Note: In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to internal network endpoints to those users/services that require them.

cURL allowed ports list

This allows you to restrict Moodle's cURL implementation to only access the specified list of port numbers, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that this is configured to only allow standard web ports, as follows:

80
443

In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.

Note: In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to open ports on the internal network to those users/services that require them.

See also

  • MDL-55662 for removing the secure cookies only setting