Enable HSTS for freenode.net

freenode / web-7.0

The freenode website, home to our blog, knowledge base and policies

https://freenode.net/

Other

116 stars 92 forks source link

Enable HSTS for freenode.net #178

Closed Mikaela closed 6 years ago

Mikaela commented 8 years ago

As you use CloudFlare, you could just go to https://www.cloudflare.com/a/crypto/freenode.net#security_header and enable it there.

I don't think there is any reason why browsers should fallback to insecure connection with freenode.net.

hackers-terabit commented 8 years ago

Second this +1

Please add HSTS preloading , https://hstspreload.appspot.com/ , current state : https://hstspreload.appspot.com/?domain=freenode.net

most people don't have httpseverywhere (and they shouldn't need to) , when someone types in "freenode.net" they will default to the http website, same with webchat.

I'd love it if freenode sets an example to the foss community with this,in the spirit of best effort privacy and security.

Cheers.

boxmein commented 8 years ago

http://caniuse.com/#feat=stricttransportsecurity Consider this matrix - check website data to see what % of visitors will be set back by this change.

hackers-terabit commented 8 years ago

boxmein - HSTS is just an http header, if a device or browser does not support it, it will simply ignore it and use HTTP like it would normally.

On the flip side, browsers supporting HSTS will use HTTPS and have an encrypted connection to cloud flare. this will mitigate so many threats and most if not all of the burden is carried by cloudflare.

emersonveenstra commented 6 years ago

This is implemented now