-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use TLS / HSTS for the site, discourse, etc. #17914
Comments
Related issue: #13180 |
Discourse is now on https, and the earlier issue covers the site, so I'm giving this a close. |
http://users.rust-lang.org/ does not use HSTS for me (or even redirects to HTTPS). |
Does site include the blog and the docs? |
@annevk it does for me... And yes, the site does include the blog and docs. The docs have HTTPs access, and the site and blog have the same root cause: github pages hosting. |
I think it does not do a 301 or some such. When I open a fresh browser the initial load does not redirect to HTTPS. |
Which browser are you using? I'm on Firefox on linux. It still redirects for me. (and really, this would be an upstream issue, as this change was made by requesting it from discourse /cc @brson @coding-horror) |
Nightly on OS X. Then Safari (stable) on OS X. Now Chrome dev on OS X. "Still redirects" is not the problem by the way, that bit works (and it's not a redirect, but a browser rewrite), it's the initial connection which you can only get if you clear your HSTS cache or use a different browser. |
Pin `rowan` to `0.15.15` To prevent rust-lang#17914, I think that it would be safer pinning this before we fix it correctly
That way active attackers cannot spoof download links for software from insecure pages and credentials cannot be leaked passively from the forums.
https://wiki.whatwg.org/wiki/TLS has more reasons if those are not sufficient.
Endgame: http://hstspreload.appspot.com/
The text was updated successfully, but these errors were encountered: