Our client wants more security. Here's what they told us
For your reference as well, SSL is not enough to secure a web application. Coming from our past previous experience the common entry of our attacks is because of this weak security configuration. when I say this. Those are the enabled SSL sites we have but have no secure headers. This has been our standard in our security.
When a site performs a 301 redirect from the http to the https version of a site, the redirect does not fully protect the site visitor, since it can be intercepted between when the visitor requests the http version of the site. This web server is already vulnerable to a man in the middle attacks. By having this the attacker can have a lot of opportunity to stage further advance attacks that may lead to information disclosure.