Hello,

On Thu, Aug 01, 2024 at 09:09:18PM +0500, Jenny Rose wrote:
> Hi Team,
> I hope you are well.
> 
> I would like to share another vulnerability of your website
> 
> Vulnerability 1: Non - secure requests are not automatically upgraded to
> HTTPS | HSTS missing
> 
> Description
> 
> The application fails to prevent users from connecting to it over
> unencrypted connections.
(...)

Supporting clear connections is an absolute necessity for a huge
amount of users, and by the way you would probably not be able to
validate some certificates, download some SSL libraries nor some
browsers if all sites were enforcing encryption everywhere.

This has nothing to do with a vulnerability, it works as designed and
as desired. Anyone is free to bind or not to clear ports, there's no
automatic binding, and configurations to apply various redirect options
are widely available.

Last, there are users who are extremely cautious about HSTS due to the
way they create "super cookies" that track a user forever and that, with
some browsers, even allows to track the user across multiple devices.

Thanks,
Willy


Reply via email to