HTTPS should be the only allowed protocol #74
Comments
Does it? Can't the attacker intercept the redirect? HSTS is a reasonable thing to implement though (with a slow-growing expiry time). |
|
Yeah, you are right about that. If someone is typing the URL, they will probably not write https, and I'm fairly sure all browsers just go to the http version by default. However, and someone will probably have access to analytics to check this, most users don't just directly type the url. Most traffic will come from links pasted on other webs, social media, or other. HSTS can be enabled with pretty short expiring dates, so that would work great as well! However, keep in mind that it's just a HTTP header that gets saved. If a user has never opened the website, and they navigate to the http version, it can still be hijacked. The only way to surpass this is preloading the hsts on the browser, which chromes does for decently sized websites that send the header |
Hey there!
This is not directly related to the code, but to the web server configuration. The Cloudflare configuration, in this case.
HTTP is not encrypted. While you can't enter any personal details on the website, an attacker could tamper with the website's content, and change the download links to malware. Redirecting automatically to HTTPS is pretty easy and mitigates this issue.
The ideal solution would be to enable HSTS (https://blog.cloudflare.com/enforce-web-policy-with-hypertext-strict-transport-security-hsts/). This can be done with a couple of clicks on the Cloudflare dashboard. Other simpler solution is to create a Page Rule or enable the "Always Use HTTPS" option.
Please consider making these changes and help make the web a safer place!
The text was updated successfully, but these errors were encountered: