Secure Protocols Only

mandatory

Apenas HTTPS; nada de HTTP, FTP ou Telnet em qualquer publish/deploy. Redirect 301 de http→https obrigatório onde aplicável.

Rule

When publishing or deploying to a web server, never use insecure protocols (HTTP, FTP, Telnet). Always:

  • Force HTTPS with valid TLS/SSL certificates.
  • Configure HTTP → HTTPS 301 redirect.
  • In code, APIs, and webhooks, always use https:// URLs.

Applies To

  • Every Koder deployment (landing pages, APIs, web apps)
  • Every generated code snippet, documentation example, and webhook URL
  • Every integration configuration file

Rationale

Koder products handle user credentials, tenant data, and payment flows. Any cleartext channel is a liability. Modern browsers warn users about mixed content and cleartext, which also hurts brand trust.

Implementation Help

  • Automatic HTTPS: infra/jet (Koder Jet web server) provides automatic TLS via ACME / Let's Encrypt. No manual cert management needed for new services.
  • Internal services: if a service runs on a private network and does not need TLS on the wire, still require authenticated access (mTLS, OIDC, or bearer tokens).
  • specs/security/csp.kmd — canonical Content-Security-Policy posture: per-request nonce pipeline, templ-author contract, partial-template threading, report endpoint, staged enforce-mode flip. Applies to every Koder web app that renders templ output.