Mobilecoin websites should offer Strict-Transport-Security header

Strict-Transport-Security (aka HSTS) is a way to prevent an SSLStrip attack.

Currently, neither of the two main mobilecoin websites (the dot com and the buymobilecoin site) set the HSTS header at all, which leaves them vulnerable to such an attack.

This is particularly troubling because commonly-accessed pages like terms of use - MobileCoin use http-only (non-encrypted) links to the buymobilecoin site – anyone who clicks on those links will be vulnerable to SSLStrip even if they’ve already visited the buymobilecoin site in the past.