HTTPS inconsistencies

0 favourites
  • 2 posts
  • It's nice that being logged in makes the site default to HTTPS for most things, but there's an unfortunately large number of pages that still get served over HTTP, like any section using the old site layout, and curiously the "Create New Topic" page is also served over HTTP.

    If you want to keep your user's cookies secure, it's really a binary thing - either everything is served over HTTPS when you're logged in, or the cookies aren't really secure. It would be nice to see this addressed.

    As a sidenote, the website field in the profile editor is prefixed to always use http:// - it'd be nice if you this could made part of the field itself. To avoid any linking issues, you could simply stick http:// in front if someone were to forget to include the protocol.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • Hi!

    Thank you for the post. You are correct that it's important to secure users cookies with a 100% https website.

    As you observed older pages are not https secured. This is because as we're rolling out the new design/new sections of the site we are ensuring they are all forced to https one at a time. Unfortunately we can't just switch the site to https entirely as it would throw a lot of security warnings which is highly detrimental to visitor retention. It's going to be a gradual process and takes time.

    I know this is not ideal, however we don't consider our website to be a high value target (if someone did hijack your cookie there's not much damage to be done). So for this reason we think the gradual change to https is satisfactory.

    Tom

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)