7 Aug
2011
7 Aug
'11
9:31 a.m.
Am 06.08.2011 14:32, schrieb Lukas Fleischer:
For all tl;dr guys around. This is my proposal:
* Use HTTPs links by default (this is already implemented).
* Enable secure cookies.
* Disallow HTTP login (or at least print a big, fat warning if a user tries to login via HTTP).
I would really go with "disallow". Don't even show a login form, just a link that directs to https _before_ being able to enter a password.
* Possibly use HSTS.
This should fix all possible vulnerabilities related to HTTPs we can actually fix. Let me know if I missed something.
Yes, the list looks complete.