Closed katanacrimson closed 7 years ago
Bumping - nearing one-month of age. This is merely adding an HTTP header to all Heello web and API requests to indicate that Heello should only be accessed via HTTPS (and not through HTTP) to help mitigate any MITM attempts via SSL terminators. Please consider.
This is a rather simple change which would provide some solid security benefits. Any word about the status of HSTS implementation - has it been considered?
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Considering heello seems to be over HTTPS only (and always) this might be a good idea.