Cornerstone on Demand HTTP -> HTTPS

Hi everyone,

TLDR: How do you publish a course to be compliant with https? (I know, I never thought I'd ask this)

Got a question for the more LMS (and server) minded people in the group. A client sent me a request to quote on updating courses from HTTP to https. My first response was that's not a course issue, it's a server/LMS issue and that they should contact their LMS provider - Cornerstone on Demand (CSOD). Her reply: the request came from CSOD. My reply: huh? Really? 

Has anyone come across this before? It goes against everything I thought I understand about how HTTPS works. I think the courses that were listed as non-compliant were published in the original player with HTML5 and Flash fallback (or vice versa). Would this be as simple as republishing in straight HTML5? I can't imagine it would be, but...

Thought I'd ask to see if anyone has encountered this before I send over files to find out there's something else.

Here's the message from CSOD:

You're receiving this message as our records show that you currently have courses using HTTP and you may be impacted by a planned change.

Cornerstone makes frequent updates to maintain and surpass the current technology and security standards. As part of these regular updates, we plan to enable HTTP Strict Transport Security (HSTS) on June 1, 2020.

As part of the HSTS enablement, our sites will no longer accept clear text HTTP, HTTPS is the safer version of the HTTP protocol, which enables web users to connect to websites. Secure connections are an important step in protecting users from a type of cyber attack called content injection, or content spoofing. For more details, please refer to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Cornerstone allows clients to upload learning content to our system. As part of that process, you choose a Provider/Vendor for that course. Each of the providers/vendors that have been set up in your portal can be set to accept HTTP or HTTPS traffic. We have identified that you have some of these set to HTTP.

Further clarification was: 

Your course providers or vendors should be able to help you with that. We aren't course package modifiers, and each vendor may have a different process. If you contact them and let them know that we're updating to HSTS, they should know how to adjust the courses for you.

If your organization has created courses, you will need to either consult the course creators or seek outside help.

7 Replies
Steve Blane

Ah, that makes total sense! I’ll check to see what links they have. 
very helpful as always Phil. 
btw, I teach some design and elearning  courses. When I talk up storyline, I mention the community and say that *someone* always responds to a post and there’s a high probability that it will be Phil Mayor. Thanks for proving me right. :)