Closed shtukas closed 10 months ago
@mxdvl Fair enough 😄
Agree with @mxdvl. Given we can be https
, we definitely should.
@akash1810 Let me close the PR then, but for argument's sake, we could also redirect them to https
from the http
url, right ?
we could also redirect them to
https
, right ?
I think we should favour configuring HSTS here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security. With HSTS clients will always visit the https
site, avoiding the redirect and the person-in-the-middle risk.
Not all clients observe the HSTS header however, so placing a 301 from http
to https
would still be needed.
Given we can be
https
, we definitely should.
To expand on this a little, visiting a site on https
from the start keeps things simple from the client's side.
At the moment url
https://www.grauniad.co.uk
is not correctly resolving. This change move to using the nons
url to the guardian.com. Note that we should revert to thes
url if one day we resolve the DNS problems. @mxdvl pointed this out here: https://github.com/guardian/domains-platform/issues/89