1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not Planned Force https for login

Discussion in 'Closed Suggestions' started by Flo44, Apr 18, 2016.

  1. Flo44

    Flo44 New Member

    1) enable/disable https for login
    2) enable/disable hsts
  2. Mouth

    Mouth Well-Known Member

    Both of these should be done at web server level, not application level.
  3. Mike

    Mike XenForo Developer Staff Member

    Speaking of your primary suggestion based on the title, this isn't something we plan to do as it provides little effective improvement. If the page that displays your login page is not offered over SSL, the whole process can still be MITM attacked. Further, you then require cookies to be sent over a non-SSL connection (no "secure" flag), which means that they can be stolen by a MITM which would also allow account access.

    If SSL is to be used, it should be used everywhere.
    Jarod, Amaury and Chris D like this.

Share This Page