SSL and HTTPS

The Jadu application supports integration with SSL, and can force connections over SSL where user data or sensitive information may be collected or viewed. To allow this, the application needs to be aware if the originating traffic arrived encrypted.

To do this, SSL needs to terminate at the IIS or Apache level.

Offloaded SSL

Apache allows SSL offloading and can set the required variables by forwarding SSL traffic to an alternative port. This port should use a custom vhost that sets the SSL environment variable on.

To force Control Center traffic to use https

In order to configure Continuum CMS to operate under HTTPS, make the following changes:

  1. Update the values of the following constants:
    • SSL_ENABLED to true
    • FORCE_SECURE_CC to true

To force all site traffic to use https

After installing your SSL certificate and making any required server configuration changes.

  1. Update the values of the following configuration values:
    • where XForms Professional is installed, set FORCE_SECURE_FORM element to be true in xfp/config/constants.xml
  2. Update the values of the following constants:
  3. Update cookie domain by changing the following constant:
    • TEST_COOKIE_DOMAIN to the wildcard domain
    • TEST_COOKIE_SECURE_CONNECTION to true
  4. Clear the application's data cache.

The Strict-Transport-Security header returned by Continuum CMS defaults to 30 days, this can be adjusted changing the value of the HSTS_MAX_AGE constant. HSTS_MAX_AGE should be set to an integer number of seconds.

Secure template methods

To include "https" instead of "http" in system generated links, use getSecureSiteRootURL() in your templates when not all traffic is forced to use https.

results matching ""

    No results matching ""