There are two problems with the HTTP vs. HTTPS setting, one problem with each possible value.
Problem 1 - if you serve all content over HTTPS, and then "story" mode loads content over HTTP, Firefox will refuse to display it unless you whitelist every single page for this purpose individually, which kind of feels like the wrong solution. I imagine other browsers will follow suit.
Problem 2 - if you serve all content over HTTP, the session cookie is unprotected and all you need to hijack the session is that value.
The latter would probably be fine if HTTPS and an additional secure cookie was required to access the account settings / preferences. As it stands, an attacker gaining the session cookie value over HTTP could delete an account, cancel payments, access personal details, etc.
Suggested solution pro: Account details safe, con: additional complexity and additional login required to access settings if you're using HTTP only mode.
Problem 1 - if you serve all content over HTTPS, and then "story" mode loads content over HTTP, Firefox will refuse to display it unless you whitelist every single page for this purpose individually, which kind of feels like the wrong solution. I imagine other browsers will follow suit.
Problem 2 - if you serve all content over HTTP, the session cookie is unprotected and all you need to hijack the session is that value.
The latter would probably be fine if HTTPS and an additional secure cookie was required to access the account settings / preferences. As it stands, an attacker gaining the session cookie value over HTTP could delete an account, cancel payments, access personal details, etc.
Suggested solution pro: Account details safe, con: additional complexity and additional login required to access settings if you're using HTTP only mode.
Posted 2 years ago
Related Conversations
iPhone app uses http, not https.
Can't use HTTP - forced to HTTPS
Cant share/connect to facebook when using App
