Possible Man in The Middle Attack on Authentication When Not Using HTTPS

No Encryption before transmission

The password & confirm password inside body request for regiser & login endpoint is not encrypted by the client. CMIIW, if the connection is not on HTTPS, someone could intercept and notes down the email & password.

It response with a set-cookie

If we set this cookie to another browser / tab / device (that not we use to register or login earlier), we will be logged in as the legitimate user.

Type of vulnerabilities

I guess.... Insecure Design. CMIIW