Redirect HTTP requests to HTTPS

[rzumer]

People who are used to accessing the site using HTTP (via history, bookmarks, etc.) should be redirected to the HTTPS version, since it provides better security against session hijacking. Currently, either version of the site is accessible.

[rzumer]

Basic nginx example (inside the server configuration):

listen 80;
listen 443 ssl;

...

if ($scheme != "https") {
    return 301 https://$host$request_uri;
}

[luchaos]

thanks @rzumer ! said redirects for all variants (http, https, www, non-www) are prepared. it's good to have this issue as reference though.

The reason those redirects are not active yet are the various integrations which access the api via http, which i was told do not work with automatic redirects too well yet.
The plan is to go https-only (deactivating http access in this case) as soon as the integration are all changed to use https only as well - which is planned to happen with v2 release.
Subsequent links on the site though include https already - even when initially accessed via http.

I'm not sure there are issues in all consumer's repositories for that change yet - we should make sure this is the case.

[rzumer]

That's good to know, unfortunately I can't tell what's done and left to do considering I can't see the code... :)

[CoolCanuck]

Just redirecting to HTTPS by itself is not good practice. It's a start, but HSTS (HTTP Strict Transport Security) would be the way to go. Do NOT mess up your HSTS settings, as the website will become inaccessible. Start with a smaller max-age value until you know what you're doing is correct.

HSTS does NOT allow the user to override an invalid certificate/security error message

[luchaos]

HSTS is already prepared on the server, but as with the redirect, which still has to exist, this cannot happen before all clients deal with following redirects/protocol upgrades properly.

[CoolCanuck]

Excellent!

When HSTS is stable, let's submit it to https://hstspreload.org/ so it gets added into Chrome/Chromium/other browsers

[CoolCanuck]

Let's also ensure we have the https version of the website verified in google analytics/tracking. We can even tell Google we prefer to show the https version (although eventually it will figure it out): https://support.google.com/webmasters/answer/44231?hl=en

[rzumer]

I do not agree with using Google tracking (or Google anything if it can be avoided).

[CoolCanuck]

@rzumer feel free to open an issue as a feature request to switch to Matomo (analytics), self hosted or other cdn js/css libraries, self hosted webfonts, etc.

[rzumer]

I was not aware that Google Analytics was live already. I can open an issue if there is consensus.

I'm not sure that there is a reason to use analytics at all at this point. But this is better discussed in chat.