Am 06.08.2011 14:32, schrieb Lukas Fleischer: > For all tl;dr guys around. This is my proposal: > > * Use HTTPs links by default (this is already implemented). > > * Enable secure cookies. > > * Disallow HTTP login (or at least print a big, fat warning if a user > tries to login via HTTP).
I would really go with "disallow". Don't even show a login form, just a link that directs to https _before_ being able to enter a password. > * Possibly use HSTS. > > This should fix all possible vulnerabilities related to HTTPs we can > actually fix. Let me know if I missed something. > Yes, the list looks complete.
signature.asc
Description: OpenPGP digital signature
