Hello, On Thu, Aug 01, 2024 at 09:09:18PM +0500, Jenny Rose wrote: > Hi Team, > I hope you are well. > > I would like to share another vulnerability of your website > > Vulnerability 1: Non - secure requests are not automatically upgraded to > HTTPS | HSTS missing > > Description > > The application fails to prevent users from connecting to it over > unencrypted connections. (...)
Supporting clear connections is an absolute necessity for a huge amount of users, and by the way you would probably not be able to validate some certificates, download some SSL libraries nor some browsers if all sites were enforcing encryption everywhere. This has nothing to do with a vulnerability, it works as designed and as desired. Anyone is free to bind or not to clear ports, there's no automatic binding, and configurations to apply various redirect options are widely available. Last, there are users who are extremely cautious about HSTS due to the way they create "super cookies" that track a user forever and that, with some browsers, even allows to track the user across multiple devices. Thanks, Willy