shtukas
commented
10 months ago @mxdvl Fair enough 😄
Closed shtukas closed 10 months ago
shtukas
commented
10 months ago @mxdvl Fair enough 😄
akash1810
commented
10 months ago Agree with @mxdvl. Given we can be https, we definitely should.
shtukas
commented
10 months ago @akash1810 Let me close the PR then, but for argument's sake, we could also redirect them to https from the http url, right ?
akash1810
commented
10 months ago we could also redirect them to
https, right ?
I think we should favour configuring HSTS here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security. With HSTS clients will always visit the https site, avoiding the redirect and the person-in-the-middle risk.
Not all clients observe the HSTS header however, so placing a 301 from http to https would still be needed.
Given we can be
https, we definitely should.
To expand on this a little, visiting a site on https from the start keeps things simple from the client's side.
At the moment url
https://www.grauniad.co.ukis not correctly resolving. This change move to using the nonsurl to the guardian.com. Note that we should revert to thesurl if one day we resolve the DNS problems. @mxdvl pointed this out here: https://github.com/guardian/domains-platform/issues/89