Use HSTS; HTTP endpoint should be immediately deprecated.

[sirocyl]

This application carries a lot of risk for an MITM attack on a less-than-secure network environment, such as public WLAN. While it does have an HTTPS frontend, the fact that the HTTP one exists, and is the default, is troubling.

At this time, anyone could simply gain control of network packets between the client and the host, and substitute their own version of the OSP page, with one which may exfiltrate one's passwords or do other nefarious things.

HSTS is important for applications like this. It ensures that an HTTPS connection, and only a strongly-secure HTTPS connection, can be made by the browser.

This doesn't affect the open source code, as far as I can tell; this is a server configuration issue for the oneshallpass.com website/host.

This could be solved by hosting on Github Pages, since it uses HSTS; see #36.