From d18348b578ab72b09840fedfc58d7b6de5fb53b5 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 21 Feb 2021 06:18:22 +0100
Subject: mod_bosh: Include warning if endpoint accessed insecurely (#1172)

This is to make it obvious if a misconfigured a proxy or the request
really is insecure.

Perhaps it should also check c2s_require_encryption?
---
 plugins/mod_bosh.lua | 1 +
 1 file changed, 1 insertion(+)

diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index db281fcd..0fbf3037 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -536,6 +536,7 @@ local function GET_response(event)
 		---
 		title = "Prosody BOSH endpoint";
 		message = "It works! Now point your BOSH client to this URL to connect to Prosody.";
+		warning = not (consider_bosh_secure or event.request.secure) and "This endpoint is not considered secure!" or nil;
 		-- <p>For more information see <a href="https://prosody.im/doc/setting_up_bosh">Prosody: Setting up BOSH</a>.</p>
 	}) or "This is the Prosody BOSH endpoint.";
 end
-- 
cgit v1.2.3