curl -I doesn’t return the Strict-Transport-Security header. Would it be possible to have “Strict-Transport-Security: max-age=31536000; includeSubDomains; preload”? The goal is to secure the access, see CheatSheetSeries/ at master · OWASP/CheatSheetSeries · GitHub.

I don’t see here any possible security breach. You’re reporting a vulnerability or this is a feature request? What’s the goal of http protocol, if Crowdin is already on https for a long time? All recourses or Crowdin already on HTTPS protocol…

Plus Crowdin is ISO certified for a long time, this is a guarantee of security

I’m reporting a security weakness. Strict-Transport-Security instruct the browser to only use HTTPS, in the event that a man in the middle might filter out Crowdin’s request to move from HTTP to HTTPS.

Hello @oliviertassinari

If you found a vulnerability and would like to report it, kindly follow these instructions.

Please take a detailed look at the sections “What are We Looking for” and “What We are Not Looking for” before submitting a report.