Discussion in 'Closed Suggestions' started by Flo44, Apr 18, 2016.
1) enable/disable https for login
2) enable/disable hsts
Both of these should be done at web server level, not application level.
Speaking of your primary suggestion based on the title, this isn't something we plan to do as it provides little effective improvement. If the page that displays your login page is not offered over SSL, the whole process can still be MITM attacked. Further, you then require cookies to be sent over a non-SSL connection (no "secure" flag), which means that they can be stolen by a MITM which would also allow account access.
If SSL is to be used, it should be used everywhere.
Separate names with a comma.