Page www.tvmaze.com/premium opens up credit card form and should always redirect users to https://
Otherwise people who want to support you will see this warning: https://cl.ly/okPP and could abandon payment process.
Hi Daniula,
It's a valid point. Thanks for bringing attention to it. We'll have a look at it as this might indeed give some users the wrong idea.
Just some additional info regarding the security of the payment process:
"You can rest assured that all checkout screens/widgets exclusively use HTTPS. Sending creditcard details in plaintext would never pass PCI compliance. You can verify this in the developer console: all the resources loaded when you click the button are HTTPS. You could even take the (https://checkout.paddle.com/...) link, open it in a new tab and finish your checkout there."
To clarify Jan's point:
The premium page itself is not HTTPS by default (although it does support it).
The paddle (Payment Gateway) connection - where you enter your details - is done using HTTPS.
Moving this to Chat because it's not a bug per se. Thanks for bringing it to our attention though, I don't see any such errors in my browser even when the outer page is HTTP (because, as the others said, all actual payment-related content is always loaded over HTTPS).
We've been gradually transitioning to HTTPS for a while now, and completing that transition is definitely on our radar for this year. :)
Looks to me like this has already been fixed. When you visit tvmaze.com you start on https://, and when you navigate to the premium page, it's a HTTPS page too. If not, you can always just directly add https:// before the page, the page supports it, and the credit-card notification doesn't appear there.
Wilco wrote:
Looks to me like this has already been fixed. When you visit tvmaze.com you start on https://, and when you navigate to the premium page, it's a HTTPS page too. If not, you can always just directly add https:// before the page, the page supports it, and the credit-card notification doesn't appear there.
It already was like this, there's just not an automatic HTTPS redirect.
gazza911 wrote:
It already was like this, there's just not an automatic HTTPS redirect.
Ah, right, gotcha. I misunderstood.
All links to the login- and premium pages are HTTPS, so as soon as you land there your browser should keep you on the HTTPS version of the site. We don't currently enforce HTTPS though, so you can still end up at the HTTP version somehow.
Just a note, HTTPS Everywhere is a browser extension for Chrome and Firefox. Everyone should use it. :)