Support HTTPS

[bhubbard]

I would like to see jshint.com support HTTPS. Maybe use a service like CloudFlare?

[jugglinmike]

Can you provide some information on why HTTPS support would be useful for jshint.com?

[bhubbard]

It just makes sense to give site visitors a secure connection if its possible. Here are a few links that explain why HTTPS is a good idea:

• https://https.cio.gov/everything/
• https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

[jugglinmike]

I'm familiar with the technology, but I would like to know more about how jshint.com would specifically benefit from a secure connection. As a statically-generated site that does not include any personal information in the visiting traffic, I'm not sure that the necessary investment in infrastructure would bring any benefit.

[bhubbard]

I see your point, but the investment in infrastructure shouldn't be a problem. You could literally setup a free CloudFlare account, and have HTTPS working within the hour.

I really see 2 main benefits:

• As the second link mentioned, Google is now using it as a ranking signal, and will be more and more.
• Allows a potential performance boost, as you could support SPDY or HTTP2, again a service like CloudFlare offers this out of the box. My personal site is hosted on Github using Github Pages, and is therefore static, and it defaults to HTTPS using the CloudFlare service. I noticed a boost when I made the switch.

[patrickdark]

As far as security goes, if my understanding is correct, HTTPS support is useful to prevent snooping on what one is doing over a wifi network connection (which someone or some organization engaging in targeted harassment or surveillance of a user might want to do). It's apparently trivial to brute force a well-secured home wifi network because the network never moves and such networks tend to allow unrestricted and unlimited login attempts.

There's also a protection of the herd factor here. When everything is encrypted regardless of importance, it becomes harder to discern what is and isn't a valuable target. And larger numbers of encrypted must-have sites make it harder for repressive regimes to censor the Internet and determine what people are doing which I think is part of what is driving Web platform vendors (i.e., all browser vendors) to encourage the mass adoption of HTTPS.

Other than that, I think bhubbard has covered it: various web features are being tied to HTTPS to discourage use of HTTP. I don't think JSHint uses any of the relevant JavaScript APIs, so HTTP2, SEO, and possibly access to the HTTP referer header—if JSHint's Google Analytics script uses that; I'm not familiar with that analysis service—are the primary benefits in the non-security realm.

[jugglinmike]

jshint.com is deployed using GitHub's "GitHub Pages" feature. Earlier this year, the company began offering HTTPS support for custom domains that reference sites like these. Today, I made the necessary DNS changes to enable the feature. As a result, you may now read about the project via a secure connection by visiting https://jshint.com