curl -I http://translate.mui.com doesn’t return the Strict-Transport-Security header. Would it be possible to have “Strict-Transport-Security: max-age=31536000; includeSubDomains; preload”? The goal is to secure the access, see CheatSheetSeries/HTTP_Strict_Transport_Security_Cheat_Sheet.md at master · OWASP/CheatSheetSeries · GitHub.
I don’t see here any possible security breach. You’re reporting a vulnerability or this is a feature request? What’s the goal of http protocol, if Crowdin is already on https for a long time? All recourses or Crowdin already on HTTPS protocol…
Plus Crowdin is ISO certified for a long time, this is a guarantee of security
I’m reporting a security weakness. Strict-Transport-Security instruct the browser to only use HTTPS, in the event that a man in the middle might filter out Crowdin’s request to move from HTTP to HTTPS.
If you found a vulnerability and would like to report it, kindly follow these instructions.
Please take a detailed look at the sections “What are We Looking for” and “What We are Not Looking for” before submitting a report.