This is a plugin to https://discourse.org that allows you to grade your websites HTTP security headers and collects data about how the the top 10,000 sites implement them.
First try to access http://domain.com, if that redirects to https then scan and grade as we do now
If that doesn't redirect to https then instead of reporting Missing Strict-Transport-Security we can report TLS/SSL is not enabled (The connection to this web server is vulnerable to man-in-the-middle and eavesdropping attacks.). And still score it the same way as a missing HSTS header.
If the user enters the full URL with https then we just scan that directly, if the user enters the full URL as http we do the same as above.
Refer to the disc here
We should scan the domains in the following way
Missing Strict-Transport-Security
we can reportTLS/SSL is not enabled
(The connection to this web server is vulnerable to man-in-the-middle and eavesdropping attacks.
). And still score it the same way as a missing HSTS header.