As a pioneering online business, we need to lead the way in terms of ensuring our user’s privacy and protecting their data.
We enabled encryption for all traffic to the graze.com domain back in July. With this update we also turned on the
HttpOnly flags for our authentication cookies, and will be doing the same for the rest in the near future.
Adding a HSTS policy header to our responses and including the graze.com domain on the HTTP Strict Transport Security preload list are just a few security improvments that we’d like to do, leading neatly on from rolling out 100% SSL.
These changes would make sure that our customers make as few requests as possible to the graze website over an insecure connection (such as the first visit made by a customer from an old non-SSL link).
Edit - For some further reading, The New York Times published a great post on why we should embrace HTTPS.