6 Aug
2011
6 Aug
'11
2:32 p.m.
For all tl;dr guys around. This is my proposal: * Use HTTPs links by default (this is already implemented). * Enable secure cookies. * Disallow HTTP login (or at least print a big, fat warning if a user tries to login via HTTP). * Possibly use HSTS. This should fix all possible vulnerabilities related to HTTPs we can actually fix. Let me know if I missed something.