Viewing a single comment thread. View all comments

ipaqmaster t1_ir3qz0r wrote

FYI the signup process redirects to the website without https (Downgrade) and same whenever you try to make a new poll.

5

bowelcrusher OP t1_ir4078c wrote

Thanks for letting me know - definitely wanna sort that out. I haven't been able to recreate this on safari or chrome; will you please let me know which web browser you're using?

2

ipaqmaster t1_ir41lwb wrote

Mozilla Firefox 105.0.1 on Linux kernel 5.19.12

I can see it in the Network tab of Developer Tools, after registering to make a vote count it POSTs to /new_vote and catches a 302 redirect, but the location header of that 302 is Location: http://myworld.vote which is where that downgrade caught my attention. Granted in the majority of cases, a browser will remember an earlier 301 and not follow the URI to be told 301 > https a second time. (But because your reddit post URL specifies https, that was my browser's first time being redirected to it again)

Anyone running an SSL enforcer could get stuck there which I guess is where setting your HSTS headers could save the day in that case. Otherwise fixing that Location string.

Easy change in new_vote I presume. That endpoint also explains why it happened a second time post-registration during another vote.

2