Closed wbazant closed 3 months ago
@wbazant All external (non-localhost) http traffic on the server is now redirected to https. Does this fix the issue for you?
Yes, it does - even explicitly typing HTTP in the address bar sends me to HTTPS, thanks for fixing!
Both live and beta site issue, but I spotted it when playing with the beta site on mobile.
When accessing the live site by typing fallingfruit.org on Firefox, I get:
Meanwhile, I didn't reproduce the issue with Chrome, but I noticed that it does take me to HTTPS. There's apparently something like "HTTP Strict Transport Security" (https://superuser.com/a/881431) which is the name for the behaviour, and I guess it mitigates much of the severity of this issue since Chrome is a popular browser.
The proposed resolution is to modify server config to add a redirect of http to https for the root of the site, for live and beta sites.