edirected back to HTTP after login the cookie can be stolen
and an attacker can take over the session. This can be avoided by
carefully making sure that all cookies get the secure flag. But it's
much easier to just avoid it by using HSTS, which prevents cookies from
ever being sent over HTTP.
--
here is no need for sites to refuse
> to support HTTP.
Can you explain that?
Leaving the HTTP default open means people's access credentials can be
stolen by an active attacker - even if they think they're using https
because of the misleading option at the login screen.
I don't think leavin