lgarron
commented
6 years ago It seems the godoc.org server is constructed at
but I'm not sure about the best place to add a new header.
Open lgarron opened 6 years ago
lgarron
commented
6 years ago It seems the godoc.org server is constructed at
but I'm not sure about the best place to add a new header.
agnivade
commented
6 years ago If this is just about godoc.org, I believe issues about that are tracked on that repo.
I also checked golang.org which seems to be missing the includeSubDomains directive, but it does have the preload header though.
FiloSottile
commented
6 years ago I suggested opening an issue here so that we can do godoc and golang.org at the same time.
agnivade
commented
6 years ago Ah alright. ping @andybons for golang.org.
gopherbot
commented
6 years ago Change https://golang.org/cl/122175 mentions this issue: cmd/godoc,cmd/tip: enable HSTS
godoc.org uses HTTPS. It would be great to increase protection by implementing HSTS and preloading: https://hstspreload.org/?domain=godoc.org
This is especially valuable for godoc.org, since URLs are designed to be easily constructed (from other URLs) by hand and not everyone might add/keep the HTTPS scheme when they do so.
cc @FiloSottile