Connection is not secure

Expected behavior

The app.forestadmin.com domain should be served with http over SSL

Actual behavior

Connection not secured



What is the current behavior?
First experience with Forest Admin and during the project set up, the connection is insecure warning came up but I was able to workaround by refreshing, logout/login

Failure Logs

Tried with Chrome, Firefox and Safari deleting all cookies and storage

Hi @johnny-do,

If you just setup a new project using the lumber CLI, it probably created an admin micro service on your local machine (localhost). In that case your browser interacts directly with your local machine without network transportation, so you are safe.

As soon as you deploy your project to a remote/production server, HTTPS is enforced, you’ll be safe there too.

More about this topic here:
https://help.forestadmin.com/article/do-you-use-https-everywhere-have-you-deployed-hsts-on-your-server/

I hope it helps.

1 Like

It looks like it’s fetching a bunch of css, js, json from app.forestadmin.com over http rather than my localhost. Can those requests be done over https?

Wouldn’t that be a MITM attack vector?

As a new user, it’s very uncomfortable that I have to enter my credentials like that.

I see in the article
https://help.forestadmin.com/article/do-you-use-https-everywhere-have-you-deployed-hsts-on-your-server/

that you have to allow connecting via http for dev environments.

What’s unnerving is that if Forest Admin has an unsecured connection to my dev server and yet my dev server can connect to my production database then wouldn’t that be a security concern?

Or am I never suppose to test that setup and always create a fake environment for my dev setup? Sorry, I’m new to this so could be using Forest Admin incorrectly :man_shrugging:t2:

Hi @johnny-do !
The best practice would be to have a dev database, for multiple reasons like preserving your production data (you can play with a local database, but not so much with your prod :stuck_out_tongue:) or as you said for security.

The files fetched from app.forestadmin.com is only frontend code, this is not your data.

I wouldn’t say that the local connection between FA and your dev server is unsecured, since there are two sources of data on our UI:

  1. Your project settings (your layout configuration, collections etc) which comes from our server and are always served via SSL.
  2. Your data, which is loaded from your local server directly into your browser (it doesn’t transit outside of your localhost network).

I hope this answers your questions, don’t hesitate if you need more information.

1 Like

Ok so I’m more confused now

I think you misunderstood me. I do have a prod env with prod data and dev env with dev data.

I’m just at the stage of setting up my first Forest Admin. What’s the normal flow?
During the project setup, it asked for my db credentials. Am I suppose to put in the dev environment one only at that point?

Then it redirected to app.forestadmin.com and asked for my Forest password without SSL. At this point, it could be a single image that is served over http but do I have to always check on my console? And isn’t that an opportunity that I can be MITM attacked?

Hope you understand my paranoia since it is my customer’s data that could be at risk here so I wanted to be extra cautious.

Hi @johnny-do,

The normal flow is the following:

  • You start by creating a project on app.forestadmin.com/new-project.
  • When doing so, you’re asked for your database credentials which are supposed to be your development one as it’s your development environment that you are creating here. It is to be noted that your database credentials are not sent anywhere but just used to compute a connection URL used to generate your lumber project in the last step.
  • This all part is done over HTTP because it’s intended to be used with your local environment (running on your computer over HTTP)
  • Once this all process is done, you should have a running dev environment under ForestAdmin. As only your browser and the micro service Lumber app are interacting, all those data exchanges are done through HTTP.

Once you’re happy with your project under this development environment, you can deploy it to production. When deploying to a production environment, we are enforcing HTTPS meaning that all data exchanges done outside of your local computer will be done through HTTPS.

I hope that my answer will help.