Glitch TLS protocol?

Hello!

I’m in the process of building a website on glitch for all sorts of general testing purposes and for enriching my own knowledge of html, js, css, working with webservers, …

I have stumbled on the chapter (if you could call it that) of authenticating user credentials. I’m currently working my way through basic authentication with the WWW-Authenticate and authorization headers. My scripts are working as expected, only returning a 200 when a specific set of credentials is entered.

It is however mentioned literally everywhere that this is not a secure method when TLS is not used on this website. Since my project is on glitch, I suppose that it is glitch itself that has to provide this. My question is if it does this, and how I myself can check if there is any way to do this. If anyone has any documentation regarding TLS, SSL, … that would also be greatly appreciated. I believe this is an essential topic if you are trying to learn how webservers work.

Thanks and I hope to hear from you soon!

Hello and welcome!

Would you mind sharing the name of your project with me? You can use HTTPS with Glitch without setting up your own certificate, but the way that you make sure that only HTTPS is accepted will differ depending on what web server frameworks or APIs you are using.

Feel free to send a DM to @glitch-staff if you’d rather not give your project name here in this public post.

I appreciate the direct offer for assistance for my project in specific terms, however, my aim was to receive information which I will be able to use beyond glitch if I ever go that way.

How can I check if a site is using TLS?
Does hosting a project on a website that uses TLS guarantee that TLS is used for all your project’s traffic?
What is TLS in essence?

That kind of thing.

My project uses express for the webserver, and no other dependencies for the specific authentication part.

How can I check if a site is using TLS?

The most common implementation of TLS is HTTPS - if you see https in the URL and not http, you’re using TLS. Many browsers abstract away that information - in Chrome, you’ll see a little lock symbol next to your URL in the address bar if you’re on a secure page, and a warning symbol if the project is being served over HTTP (insecurely). Other major browsers have similar ways of showing this info.

Does hosting a project on a website that uses TLS guarantee that TLS is used for all your project’s traffic?

That depends on your host and how your server is configured. In Glitch, people will still be able to access your site over HTTP as well as HTTPS unless you explicitly enforce HTTPS in your server.js file.

One way to make sure HTTPS is enforced in a Node server running express is to use express-sslify. Remember here that TLS is the next generation of SSL, and some people (like this package’s authors, apparently) use the terms interchangeably.

Does that help?

3 Likes

All of that is extremely useful!

And yes, I already realised TLS is sort of the successor of SSL. Wikipedia did give me a general summary of what it is, its history, where it’s used, …

Thanks! I enormously appreciate it!