We should discuss HTTPS enforcment via HSTS Preload list on SelfPrivacy user servers.
HSTS preload allows to specify that domain should be accessed using ONLY HTTPS even before user will try to connect to it, and browser shouldn’t try to connect via HTTP. This allows to improve security when connecting to server via hostile networks (for example, metro/airport Wi-Fi).
HSTS is like a browser’s version of /etc/hosts, but it only contains domain names, not IP addresses. If a domain is listed, the browser will always use HTTPS to connect.
On SelfPrivacy servers, port 80 is only used to redirect to port 443 (HTTPS), so there’s no real benefit to HSTS.
In fact, it could have a slightly negative impact on security, as the site would be added to a public list that attackers could use to look for vulnerabilities.
Also, modern browsers already try to connect via HTTPS first by default.
But thanks for the suggestion.
Yes, you’re right. There are several scenarios where HSTS can protect against “man-in-the-middle” attacks. For example, if you connect to a compromised WiFi network, you might be tricked into phishing and end up giving away your Nextcloud or email password. I agree, adding this feature to SelfPrivacy would be a good idea.
The statement is correct if the user never ignores browser warnings and always pays attention to the lock icon in the address bar. However, even the best of us make mistakes sometimes