MigrateToFlarum Lab, the health scanner for Flarum

DarkXero you can use this extension to obtain the correct configuration in "1 step" https://discuss.flarum.org/d/19307-canonical-url-redirect

If you want to do it "the proper way" without an extension, you can search something like "<your hosting> force www" or respectively "no-www" depending on your preferred domain. If your hosting is managed, it might be one click in the management panel. Or it might be in your provider's online documentation. If it's a VPS or if there's no documentation, you can search for "<webserver> force www", for Apache, Nginx or other webserver.

Basically there are many different ways to achieve it depending on your exact hosting situation. If you need further help, please let us know what kind of hosting you are using for your forum and which company provides it.

Darkle ahah, oops. I forgot to disable the April Fools mode! It's gone now

There are a few special extensions that appear when this mode is enabled I have enabled it each year but you might be the first visitor to actually notice

The lab is now able to scan forums running Flarum 1.4.

While the release contains no breaking changes for extension, there was an important change to the inline javascript/json in the homepage I had not noticed in advance and of course it broke everything in my script.

In future lab updates I will probably start dropping compatibility with older Flarum betas, at the moment you can still scan forums that run versions as old as Flarum beta 7 (the current Flarum release when the lab was launched). The code starts getting a bit complicated with all the changes during the years.

fakruzaruret I'm not sure what you mean I could/should change on the lab or what are you suggesting people do?

The lab tries to warn of extension updates but it's very limited in the ways it can guess the current version of the extension. If the lab isn't sure the extension is outdated, it won't say anything.

To check for updates on your own forum more accurately, you should use Mercury or the composer outdated -D command.

I have marked all Flarum versions that the lab can recognize (beta 7 to stable 1.6.1) as vulnerable.

The Lab cannot tell Flarum version 1.6.3 apart from 1.6.2 since all changes are server-side and you need an account to probe for the vulnerability, so 1.6.2 will not show a vulnerable rating. You should still update as soon as possible if you are still running Flarum 1.6.2.

If you are wondering why the list of recent scans disappeared (already a few weeks ago), the SQL query that fetched that information was poorly written and there are now so many entries in the database that the whole website would time out because of it. I still haven't had time to rewrite it properly, so for the time being the list is hidden.

FullThrottle83 what's your Flarum version in admin dashboard? All versions below 1.6.2 will receive rate D. If you really are on Flarum beta 8 or 9 you need to update ASAP as there have been numerous security fixes since then. If you were up to date but no longer are, maybe you ran a composer update that accidentally forced Flarum to downgrade?

I'll need to know your forum URL to investigate further. You can send it to me privately via Discord or email if you prefer.

FullThrottle83 as confirmed on Discord, the odd "beta"/vulnerable results were because Cloudflare Rocket Loader interfered with my version detection code.

I have published an update to the lab that fixes the version detection and shows a message at the top of the scan if Cloudflare Rocket Loader was detected. Most of the features work but the list of extensions on the Lab will be incomplete when Rocket Loader is active, because my code only looks for specific patterns in the assets and those are different when Rocket Loader is active.

While Rocket Loader causes issues with my Lab scanner, I am not aware of it causing any issue when it comes to using Flarum. I am curious whether it brings any benefits though, because according to the Cloudflare documentation this feature accelerates the website rendering by prioritizing text and images and delaying javascript. But since Flarum is a single page app, nothing will be visible until javascript is loaded anyway. So it could maybe even be worse? I'd be curious to know if anyone made tests to compare the performance with any without Rocket Loader.

The Lab can now scan Flarum 1.8 forums.

I also fixed an issue that caused forums using the FontAwesome6 extension to be impossible to scan.