The app.forestadmin.com domain should be served with http over SSL
Connection not secured
Tried with Chrome, Firefox and Safari deleting all cookies and storage
Hi @johnny-do,
If you just setup a new project using the lumber CLI, it probably created an admin micro service on your local machine (localhost). In that case your browser interacts directly with your local machine without network transportation, so you are safe.
As soon as you deploy your project to a remote/production server, HTTPS is enforced, you’ll be safe there too.
More about this topic here:
https://help.forestadmin.com/article/do-you-use-https-everywhere-have-you-deployed-hsts-on-your-server/
I hope it helps.
It looks like it’s fetching a bunch of css, js, json from app.forestadmin.com over http rather than my localhost. Can those requests be done over https?
Wouldn’t that be a MITM attack vector?
As a new user, it’s very uncomfortable that I have to enter my credentials like that.
I see in the article
https://help.forestadmin.com/article/do-you-use-https-everywhere-have-you-deployed-hsts-on-your-server/
that you have to allow connecting via http for dev environments.
What’s unnerving is that if Forest Admin has an unsecured connection to my dev server and yet my dev server can connect to my production database then wouldn’t that be a security concern?
Or am I never suppose to test that setup and always create a fake environment for my dev setup? Sorry, I’m new to this so could be using Forest Admin incorrectly 
Hi @johnny-do !
The best practice would be to have a dev database, for multiple reasons like preserving your production data (you can play with a local database, but not so much with your prod 
) or as you said for security.
The files fetched from app.forestadmin.com is only frontend code, this is not your data.
I wouldn’t say that the local connection between FA and your dev server is unsecured, since there are two sources of data on our UI:
I hope this answers your questions, don’t hesitate if you need more information.
Ok so I’m more confused now
I think you misunderstood me. I do have a prod env with prod data and dev env with dev data.
I’m just at the stage of setting up my first Forest Admin. What’s the normal flow?
During the project setup, it asked for my db credentials. Am I suppose to put in the dev environment one only at that point?
Then it redirected to app.forestadmin.com and asked for my Forest password without SSL. At this point, it could be a single image that is served over http but do I have to always check on my console? And isn’t that an opportunity that I can be MITM attacked?
Hope you understand my paranoia since it is my customer’s data that could be at risk here so I wanted to be extra cautious.
Hi @johnny-do,
The normal flow is the following:
Once you’re happy with your project under this development environment, you can deploy it to production. When deploying to a production environment, we are enforcing HTTPS meaning that all data exchanges done outside of your local computer will be done through HTTPS.
I hope that my answer will help.
hello,
my connection this morning is not secure too, it’s in production
Hi @arnaudambro,
That’s due to a regression introduced yesterday on Safari browsers.
It should be back to normal now.
