https

[miketaylr]

Should probably serve webcompat.com over https by default.

[ghost]

Agreed! I would really like webcompat to support HTTPS and redirect HTTP to HTTPS.

[annevk]

Can this be given higher priority? Perhaps through Mozilla's IT? It's really bad to have a site that has a login box and accepts potentially sensitive information without TLS/HSTS.

[karlcow]

@annevk which sensitive information are you thinking about?

[annevk]

Well, a user's login credentials. Sites a user wants to report.

[miketaylr]

Can this be given higher priority?

Yeah, thanks for a reminder--probably won't be able to tackle this until next week with conference travel starting tomorrow though.

[miketaylr]

Was feeling lazy when thinking about tasks I should be working on, so I worked on this instead.

The only complication is that I didn't add the includeSubdomain to the HSTS header because I grabbed a free StartSSL cert (good for webcompat.com & www.webcompat.com) and we have the following subdomains that would be hosed by forcing https:

• planet.webcompat.com
• staging.webcompat.com

Not really worried about staging, because that's behind HTTP basic auth and is just a place for core contributors to test out things. But having protocol differences between staging and production is not ideal.

But we need to figure out what to do with planet. The solution might just be to pony up the $59.99 for a 2 year Class 2 with wildcard/subdomain support.

[miketaylr]

Filed #303 for the subdomain stuff.