Secure Protocols Only

mandatory

Apenas HTTPS; nada de HTTP, FTP ou Telnet em qualquer publish/deploy. Redirect 301 de http→https obrigatório onde aplicável.

Policy — Secure Protocols Only

Rule

When publishing or deploying to a web server, *ever*use insecure protocols (HTTP, FTP, Telnet). Always:

  • Force *TTPS*with valid TLS/SSL certificates.
  • Configure HTTP → HTTPS 301 redirect.
  • In code, APIs, and webhooks, always use https:// URLs.

Applies To

  • Every Koder deployment (landing pages, APIs, web apps)
  • Every generated code snippet, documentation example, and webhook URL
  • Every integration configuration file

Rationale

Koder products handle user credentials, tenant data, and payment flows. Any cleartext channel is a liability. Modern browsers warn users about mixed content and cleartext, which also hurts brand trust.

Implementation Help

  • *utomatic HTTPS* infra/jet (Koder Jet web server) provides automatic TLS via ACME / Let's Encrypt. No manual cert management needed for new services.
  • *nternal services* if a service runs on a private network and does not need TLS on the wire, still require authenticated access (mTLS, OIDC, or bearer tokens).

Source: ../home/koder/dev/koder/meta/docs/stack/policies/security.kmd