Issue due to mixed content http and https

[shehabic-work]

Just change your NS of any domain to CloudFlare, Activate SSL, and there you go, you have Free Trusted SSL

[shehabic-work]

Another solution is this: https://letsencrypt.org/

[shehabic-work]

I'll setup your script and give you feedback

[shehabic-work]

The result is negative, all browsers are always complaining about Mixed Content (if you open the original page in http, then try to open something with https via Ajax).

[mnebuerquo]

I think the index page needs to be served without SSL to avoid the mixed content errors.

If the page is HTTPS, all resources on it must be HTTPS. If the page is HTTP, then you are allowed to load HTTPS or HTTP.

Requiring the index to be non-ssl also requires the cookie to be exposed over HTTP. Someone sniffing the traffic would see plaintext html and javascript, and be able to reconstruct the HSTS cookie. The only practical use for it might be in a site with no login and no expectation of security.

Probably the reason the HSTS information leak isn't fixed is because it's a difficult technique to implement (multiple subdomains, many ajax requests to read cookie) and because it relies on mixed content which will eventually go away as browsers start to tighten the SSL security requirements. I think eventually all browsers will attempt to load an HTTPS version of every resource and then fall back to HTTP to prevent users from accidentally viewing the insecure version of a page when both are available.

[shehabic-work]

It doesn't work on iOS anymore, safari fixed this