While comparing http to https logs (J4) I noticed a few URLs are coming down in the former (eg plaintext) when I'm expecting everything nice & tidy in TLS.
Some of the common players (Shortened for brevity):
GET /administrator/index.php?option=com_joomlaupdate&task=update.ajax&36893(etc)=1
GET /administrator/index.php?option=com_installer&view=update&task=update.ajax&36893(etc)=1skip=224
GET /administrator/index.php?option=com_privacy&task=getNumberUrgentRequests&format=json&36893(etc)
GET /administrator/index.php?option=com_templates&view=templates&task=template.ajax&36893(etc)=1
It's not a lot but I'm worried that my browser may have leaked my administrator session variables & cookies along with those calls. Can anyone direct me if there's an existing discussion on this?
Note: (a) Site is configured to Force HTTPS (b) I could certainly enforce with .htaccess but I feel the browser would still push the sensitive content out there before seeing the 301
Some of the common players (Shortened for brevity):
GET /administrator/index.php?option=com_joomlaupdate&task=update.ajax&36893(etc)=1
GET /administrator/index.php?option=com_installer&view=update&task=update.ajax&36893(etc)=1skip=224
GET /administrator/index.php?option=com_privacy&task=getNumberUrgentRequests&format=json&36893(etc)
GET /administrator/index.php?option=com_templates&view=templates&task=template.ajax&36893(etc)=1
It's not a lot but I'm worried that my browser may have leaked my administrator session variables & cookies along with those calls. Can anyone direct me if there's an existing discussion on this?
Note: (a) Site is configured to Force HTTPS (b) I could certainly enforce with .htaccess but I feel the browser would still push the sensitive content out there before seeing the 301
Statistics: Posted by KennethH — Tue Oct 15, 2024 8:30 pm