Testing website security: Google permissions, cookies and HTTPS

[storytracer]

First of all, thank you so much for this amazing tool. I only discovered it today and am absolutely stunned by your great work. However, when I tweeted about it, there was immediate concern about the security of the testing website (see reactions to tweet).

For users wanting to test the tool it would be great if you could clarify/fix the following points on the testing website:

• Force HTTPS for all website visitors
• Properly name and approve the Google API OAuth application which is asking for permission to users' accounts (it is currently un-approved by Google and shows a warning to users)
• Clarify what Google account permissions will be requested and why
• Explain why Google cookies are mandatory for the use of the tool

[adammertel]

Hi @canbuffi thank you very much for reaching me here.
(I am sorry I was not able to respond on Twitter, I am not very active there :/)

I was trying to rewrite the website to use HTTPS only previously but the external services stopped working. But I should give it at least one more shot, there is definitely a workaround.

With the rest of your comments, I absolutely agree. We have been using Historical Geocoding Assistant mainly internally so the problem with the security was not that significant. I should find some time in the next couple of weeks to fix them - thanks for the tips.

If you have other ideas on how to make this tool more convenient, and secure for external users, please let me know, I am happy to implement them :)

Have a nice rest of the weekend and thank you once again for your notes