Closed lucaswerkmeister closed 8 years ago
:+1:
HTTPS is important for software distribution sites (especially ones as easy to use as Herd) to help ward off man-in-the-middle attacks.
I think nowadays it's a given that all sites should be using HTTPS, even if they only contain information.(And especially if a login is available somewhere) Look at Wikipedia for example, it immediately redirects to the HTTPS versions as well.
As long as existing tools point to HTTP we have to redirect, but you can't use Herd without HTTPS ATM so closing this as good enough.
I've added the extra header to apache.
The Herd should be available exclusively over HTTPS. This means:
Location
header), andover HTTPS, the server sends an HSTS header, like this:
to instruct web browsers to always redirect to the HTTPS version automatically.
Aside from all security concerns, there’s a very practical reason to do this too: Currently, each time you visit the HTTP version, your session is killed and you’re logged out, which is very annoying, since most Herd links are currently HTTP links. When browsers always rewrite links to HTTPS, this is no longer a problem.