x/website,x/gddo: enable HSTS for godoc.org and golang.org

[lgarron]

godoc.org uses HTTPS. It would be great to increase protection by implementing HSTS and preloading: https://hstspreload.org/?domain=godoc.org

This is especially valuable for godoc.org, since URLs are designed to be easily constructed (from other URLs) by hand and not everyone might add/keep the HTTPS scheme when they do so.

cc @FiloSottile

[lgarron]

It seems the godoc.org server is constructed at

https://github.com/golang/gddo/blob/9ab275bde8fe1bb887642e9250b8d58aba11af61/gddo-server/main.go#L850

but I'm not sure about the best place to add a new header.

[agnivade]

If this is just about godoc.org, I believe issues about that are tracked on that repo.

I also checked golang.org which seems to be missing the includeSubDomains directive, but it does have the preload header though.

[FiloSottile]

I suggested opening an issue here so that we can do godoc and golang.org at the same time.

[agnivade]

Ah alright. ping @andybons for golang.org.

[gopherbot]

Change https://golang.org/cl/122175 mentions this issue: cmd/godoc,cmd/tip: enable HSTS

[seankhliao]

I believe this is no longer relevant now that the main domain is on .dev