secure snacking – switching to https everywhere

As a pioneering online business, we need to lead the way in terms of ensuring our user's privacy and protecting their data.

We enabled encryption for all traffic to the graze.com domain back in July. With this update we also turned on the Secure and HttpOnly flags for our authentication cookies, and will be doing the same for the rest in the near future.

SSL Enabled

Adding a HSTS policy header to our responses and including the graze.com domain on the HTTP Strict Transport Security preload list are just a few security improvments that we'd like to do, leading neatly on from rolling out 100% SSL.

These changes would make sure that our customers make as few requests as possible to the graze website over an insecure connection (such as the first visit made by a customer from an old non-SSL link).

Edit – For some further reading, The New York Times published a great post on why we should embrace HTTPS.

by Sam Parkinson

Find us on GitHub or follow us on Twitter.

Here at graze, we're always looking to hire smart people to join our tech team. If you love solving the types of technical challenges we face, send your CV to jobs@graze.com.

comments powered by Disqus