Use HTTPS (and HSTS) on carsinbikelanes.nyc

[paulschreiber]

HTTPS

• protects privacy of readers
• ensures integrity of submissions
• lets you use advanced web features

[mattkime]

@infinitesunrise i think you'd need to drive this since you own the site. let me know if you'd like some help.

[infinitesunrise]

Definitely want to support HTTPS, just don't have the know-how yet / haven't gotten around to it. Received #30 today with the same goal in mind that removes the 'http:' from all hard-coded URLs, will likely merge it in tonight. Not sure if that alone makes the site https-ready (I actually hadn't been aware that it didn't fully support https until this issue).

[mattkime]

@infinitesunrise its a few trivial code changes like that if you already have a cert installed.

[mattkime]

this would be a good addition - https://help.dreamhost.com/hc/en-us/articles/215747758-How-do-I-force-my-site-to-load-securely-with-an-htaccess-file-

otherwise you're requiring people to type in https://

[paulschreiber]

I'm happy to help on the server/configuration/admin side. Email me if you'd like.

[paulschreiber]

The fixes in #30 are wrong. You should no longer use them http://www.paulirish.com/2010/the-protocol-relative-url/

Use https for all assets, even when your site isn't yet https.

[infinitesunrise]

Haha go figure. I'll switch the links over to https when I have some time this week. I have a few domains with certs installed that I can then test it out on (carsinbikelanes.nyc also has a Let's Encrypt cert installed). Any other https considerations I should keep in mind, besides link URLS?

[paulschreiber]

Look out for (and fix) mixed-content warnings once it's up and running. Be sure you have the 301 redirect (on http connections) and Strict-Transport-Security (on https connections). Once it's working, submit to https://hstspreload.appspot.com/.

[infinitesunrise]

Great! Thank you!