Enable HSTS (HTTP Strict Transport Security) #185
Description
We used the highly reputable SSL Test from https://ssllabs.com/ to verify our usage of TLS. The report indicated that we are configured purely with TLS 1.3 and TLS 1.2, and has therefore given us an excellent rating (A, with a maximum of A+!)
However, if a user navigates to http://vaticle.com/, our server is not set up to force the request to actually use HTTP, but rather redirects it to HTTP. The difference is subtle: it leaves a small but potential window of opportunity for a MITM attack.
As mentioned by @jamesreprise earlier this year, we can sharply reduce the attack potential by implementing HSTS (HTTP Strict Transport Security) which should be quite straightforward - just adding an HTTP header that instructs browsers to only communicate with the server via HTTPS. (some good answers on the issue at https://stackoverflow.com/questions/4365294/is-redirecting-http-to-https-a-bad-idea .)