Hacker News new | past | comments | ask | show | jobs | submit login

Require SSL on any request who's response sends a set-cookie http header. Leave it out for the non-sensitive request/responses.

You'd still be able to get the cookie when the client sends it bnack to the server on subsequent, non-SSL requests.

It's gotta be SSL all the time.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact