LastFriends

Security and HTTPS

LastFriends uses HTTPS everywhere and enforces it with HSTS (HTTP Strict Transport Security). This means modern browsers will only connect to our site securely and will automatically upgrade any insecure requests.

Why you might see warnings

  • Some in-app browsers (e.g., Instagram, Twitter) restrict cookies or downgrade security, which can cause sign-in issues.
  • If you previously visited an http:// link, your ISP/router may have intercepted it before the secure connection was established.

Recommended steps

  1. Open this site directly in Safari (iOS) or Chrome (Android).
  2. Always use the canonical URL: https://lastfriends.site.
  3. If you see a warning in an app, tap the ••• menu and choose "Open in Browser".

Technical details

  • HSTS header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • Content Security Policy: upgrade-insecure-requests to avoid mixed content.
  • OAuth cookies are scoped to the apex domain lastfriends.site to avoid state loss across subdomains.

Questions? Open an issue on GitHub.