graze logo

snack overflow

by the graze technology teams

As a pioneering online business, we need to lead the way in terms of ensuring our user’s privacy and protecting their data.

We enabled encryption for all traffic to the domain back in July. With this update we also turned on the Secure and HttpOnly flags for our authentication cookies, and will be doing the same for the rest in the near future.

SSL Enabled

Adding a HSTS policy header to our responses and including the domain on the HTTP Strict Transport Security preload list are just a few security improvments that we’d like to do, leading neatly on from rolling out 100% SSL.

These changes would make sure that our customers make as few requests as possible to the graze website over an insecure connection (such as the first visit made by a customer from an old non-SSL link).

Edit - For some further reading, The New York Times published a great post on why we should embrace HTTPS.