Restrict to 'TLS 1.2' protocol only?

Glitch Help
,
1

Forcing HTTPS is working…but security analyzer shows I still support TLS 1.0 and 1.1 protocols… when my customer(client) wants me to only support TLS 1.2. Do I have any options on Glitch…? (https://glitch.com/edit/#!/force-http-or-https)

  1. I’m following this project structure and am indeed getting HTTP->HTTPS redirect… which is great. But…
  2. A client I’m working for wants me to pass certification on this tool (“A” in “protocol support” => TLS 1.0 and 1.1 must be disabled… , Qualys, (ssllabs dot com)
  3. You’ll notice that the above ‘*force-http-or-https’ project, when taken to the Qualys site, scores a ‘B’ in ‘protocol support.’ And the site states that ‘it supports TLS 1.0 and 1.1’ so…

Is this the best we can do on Glitch…?

I dug around and tried nginx deployment… and subtracted support for TLS 1.0,1.1 - but I end up in a continuous bounce redirect loop and 301-error.

Should I be exploring Heroku and going into the depths of ‘certs’, ‘Cert Authorities’, ‘Cipher suites’ etc?? Is it time to cut bait on the two Glitch fish…? I don’t want to.

1 Like
2

From a community support perspective, I believe that this is the best we can do as end users on Glitch. The proxy that terminates TLS connections is out of our control here.

You can perhaps work around this by adding another layer of proxying on the outside.

Let’s leave this topic here as a piece of feedback for the staff. Although they recently said they aren’t committing to regular monitoring of this forum.

1 Like
3

My best recommendation would be to contact support@glitch.com, as staff there will see your message (you could link this thread)

I suppose that if you use Cloudflare as your DNS provider, you can tweak encryption settings there.

1 Like
4

Went to Cloudflare… thank you … that is working perfectly.

1 Like