Using https instead of http for data

[TodorDimitrovIvanov]

Hello team,

Thank you for your work with the open-sammy app as it's by far the best OWASP SAMM tool I could find.

However I'm having troubles making the app work via the https protocol and more specifically the form for creating a new scope (the URL is domainname.com/project/add). I've tried redirecting all http traffic to https using Apache rewrite rules like so:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

And while this works for most pages, regardless of what I do, the form will always be submitted through the insecure http protocol. Is there a way to re-configure the app to work via https? For example, on some PHP applications you can set the base URL (namely WordPress) but I can't find anything similar for open-sammy.

Additionally, i've reviewed the app's documentation and issues but couldn't find anything regarding forcing https traffic apart from this issue.

So my problem boils down to this - is there a way to make all of the app's resources load via the https protocol by default?

[BackNot]

Hi, that sounds interesting.

Can I have a little bit more info about your setup - are you deploying the app from Docker or not?

Also, can you reproduce the same thing locally or the problem occurs only after production deploy.

Thanks.

[TodorDimitrovIvanov]

Absolutely!

I want to deploy the app to staging (before production) environment with Docker using the compose.yaml file and this is where I found the problem.

Before that I test deployed the app locally via Docker. So when I went back to check the form it was still loading from http locally on my machine too even though the rest of the website uses https.

Just for good measure I also built the app manually using the provided instructions but again found the same problem.