We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Observatory gives a penalty for cookies without the secure flag.
However it'll give less penalty if the site uses HSTS. The explanation is:
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS
This is misleading. It is possible to have setups where a cookie is sent over HSTS, but can still be transmitted in plain text.
I have setup a simple example:
I think it is problematic to imply that HSTS would make the cookie secure flag unnecessary.
( https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 is also related.)
The text was updated successfully, but these errors were encountered:
No branches or pull requests
The Observatory gives a penalty for cookies without the secure flag.
However it'll give less penalty if the site uses HSTS. The explanation is:
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS
This is misleading. It is possible to have setups where a cookie is sent over HSTS, but can still be transmitted in plain text.
I have setup a simple example:
I think it is problematic to imply that HSTS would make the cookie secure flag unnecessary.
( https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 is also related.)
The text was updated successfully, but these errors were encountered: