Secure Protocols Only
Apenas HTTPS; nada de HTTP, FTP ou Telnet em qualquer publish/deploy. Redirect 301 de http→https obrigatório onde aplicável.
Rule
When publishing or deploying to a web server, never use insecure protocols (HTTP, FTP, Telnet). Always:
- Force HTTPS with valid TLS/SSL certificates.
- Configure HTTP → HTTPS 301 redirect.
- In code, APIs, and webhooks, always use
https://URLs.
Applies To
- Every Koder deployment (landing pages, APIs, web apps)
- Every generated code snippet, documentation example, and webhook URL
- Every integration configuration file
Rationale
Koder products handle user credentials, tenant data, and payment flows. Any cleartext channel is a liability. Modern browsers warn users about mixed content and cleartext, which also hurts brand trust.
Implementation Help
- Automatic HTTPS:
infra/jet(Koder Jet web server) provides automatic TLS via ACME / Let's Encrypt. No manual cert management needed for new services. - Internal services: if a service runs on a private network and does not need TLS on the wire, still require authenticated access (mTLS, OIDC, or bearer tokens).
Related specs
specs/security/csp.kmd— canonical Content-Security-Policy posture: per-request nonce pipeline, templ-author contract, partial-template threading, report endpoint, staged enforce-mode flip. Applies to every Koder web app that renders templ output.