Comments (2)
zanchey
commented on July 2, 2024
Redirecting automatically to HTTPS is pretty easy and mitigates this issue.
Does it? Can't the attacker intercept the redirect?
HSTS is a reasonable thing to implement though (with a slow-growing expiry time).
from fish-site.
NiciusB
commented on July 2, 2024
Yeah, you are right about that. If someone is typing the URL, they will probably not write https, and I'm fairly sure all browsers just go to the http version by default.
However, and someone will probably have access to analytics to check this, most users don't just directly type the url. Most traffic will come from links pasted on other webs, social media, or other.
Just by enabling the https redirection, most of the traffic will go directly to the https version.
HSTS can be enabled with pretty short expiring dates, so that would work great as well! However, keep in mind that it's just a HTTP header that gets saved. If a user has never opened the website, and they navigate to the http version, it can still be hijacked. The only way to surpass this is preloading the hsts on the browser, which chromes does for decently sized websites that send the header
from fish-site.
Related Issues (20)
- documentation is being clipped on small (phone) screen HOT 1
- Website search doesn't seem to work HOT 1
- What happened to the main page of fishshell.com ? HOT 4
- RSS Feed for the Blog HOT 1
- Improve fallback fonts using ModernFontStacks HOT 1
- Regarding the magenta home page. HOT 7
- Link to 3.7 release notes from blog actually points to 3.6 release notes HOT 1
- Duplicated text in documentation "Writing your own completions"
- Redirect /docs/ to /docs/current/
- markup typo HOT 1
- The Guix package URL is broken HOT 3
- SSL certificate is broken HOT 11
- Possibly a typo in docs HOT 1
- typos in urls HOT 1
- Some HTML tags interpreted as plain text HOT 1
- Link to Linux tab for WSL
- Why are we tracking site/_site folder in git HOT 2
- Update webconfig screenshot when 3.2 is released HOT 1
- Can't search for commands like "if" and "for" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fish-site.