[Owasp-leaders] HTTP to HTTPS redirects

Jim Manico jim.manico at owasp.org
Sun Oct 23 10:07:06 EDT 2011


Michael,

Troy Hunt and others noticed that you removed the recommendation to
avoid HTTP to HTTPS redirects, a long standing AppSec recommendation.

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_REMOVED_-_Do_Not_Perform_Redirects_from_Non-TLS_Page_to_TLS_Login_Page

As a chance to geek-out on leaders, may I/we ask why in a bit more depth?

I'm on the edge about this myself, but I think I understand your reasoning...

--
Jim Manico
(808) 652-3805


More information about the OWASP-Leaders mailing list