ipaqmaster t1_ir3qz0r wrote
FYI the signup process redirects to the website without https (Downgrade) and same whenever you try to make a new poll.
bowelcrusher OP t1_ir4078c wrote
Thanks for letting me know - definitely wanna sort that out. I haven't been able to recreate this on safari or chrome; will you please let me know which web browser you're using?
ipaqmaster t1_ir41lwb wrote
Mozilla Firefox 105.0.1 on Linux kernel 5.19.12
I can see it in the Network tab of Developer Tools, after registering to make a vote count it POSTs to /new_vote and catches a 302 redirect, but the location header of that 302 is Location: http://myworld.vote
which is where that downgrade caught my attention. Granted in the majority of cases, a browser will remember an earlier 301 and not follow the URI to be told 301 > https a second time. (But because your reddit post URL specifies https, that was my browser's first time being redirected to it again)
Anyone running an SSL enforcer could get stuck there which I guess is where setting your HSTS headers could save the day in that case. Otherwise fixing that Location string.
Easy change in new_vote I presume. That endpoint also explains why it happened a second time post-registration during another vote.
bowelcrusher OP t1_ir42kef wrote
Thanks a lot for pointing this out!
ipaqmaster t1_ir42ucd wrote
All good. Cool site!
[deleted] t1_ir41aj8 wrote
[deleted]
Viewing a single comment thread. View all comments