Use HSTS / HTTPS only

[bgentry]

It looks like https://godoc.org works just fine. Given that, is there any reason not to go HTTPS-only along with HTTP Strict Transport Security (HSTS)?

I'd be happy to write a pull request for this if it sounds like a good idea.

[adg]

There's nothing sensitive on godoc.org so I don't see what it would add for our users.

This work would have to happen on the deployment side; we terminate SSL with nginx. All the configs and deployment scripts are in a private repo, so it would be hard for you to contribute this work.

[adg]

Thanks very much for the suggestion and offer of help, though.

[bgentry]

Sure. In this case it's not about sensitive personal data so much as it's an issue with the fact that every unencrypted web page serves as a potential attack vector for users of the site. I understand if you don't want to consider that a priority, though. At least the site is compatible with "HTTPS everywhere" extensions :v:

[adg]

I hadn't thought of that.

If it was easy to just let you do the work, I'd be happy for you to do it. :)

[dmitshur]

In this case it's not about sensitive personal data so much as it's an issue with the fact that every unencrypted web page serves as a potential attack vector for users of the site.

Yeah, this is a good idea primarily because of that (and since HTTPS is already supported).

[nathany]

Also: https://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html

If we add the HSTS header, there is also the Chrome list: https://hstspreload.appspot.com/

[konklone]

Redirecting HTTP->HTTPS and turning on HSTS (and even submitting to the preload list!) would be a great thing for Godoc to do. The docs may not be sensitive, but using HTTPS protects your visitors from attacks like Verizon's perma-cookie header they inject into all HTTP traffic -- HTTPS blocks this. And you can never really predict what global-scale actors might be able to extract from network traffic correlation between godocs.org and other websites.

I think Chrome and Firefox, at the very least, would like to keep the web moving in the direction where some day they can start more actively discouraging HTTP. Every site that goes HTTPS-only makes that easier.

[konklone]

Sorry for the double-post, but the Chrome HSTS preloader, also linked above, is very easy to use -- just turn on HSTS, add includeSubdomains; preload to the end of the header, and submit the form. In a few months, Chrome, Firefox, and Safari will all refuse to ever hit the http:// version of your website.