opt into server enforced https about python3statement.github.io HOT 18 CLOSED

Thanks! One thing that's not quite clear to me: is it possible that enabling that now would cause issues if we later moved to a custom domain? I've been considering getting something like <redacted> for it.

from python3statement.github.io.

@takluyver delete your comment. Do not mention an unregisted domain name on github. It will be automatically stolen

from python3statement.github.io.

@takluyver delete your comment. Do not mention an unregisted domain name on github. It will be automatically stolen

Redacted just in case. Yes, for now we can't enforce https if we want a custom domain at some point.

from python3statement.github.io.

Yes, for now we can't enforce https if we want a custom domain at some point.

This isn't true. Github only forces https for the .github.io domain. It's fine with CNAMEs.

from python3statement.github.io.

also you can just use cloudfront for HTTPS like I do with https://graingert.github.io

from python3statement.github.io.

From github help:

HTTPS is not supported for GitHub Pages using custom domains.

Even if it can work.

While we know we can setup cloudflare, cloudfront or anything else, it is extra work, extra-credential, and extra instruction that need to be maintained.

So for now I don't think it's worth it,

from python3statement.github.io.

Thanks for the warnings. I wasn't too attached to the particular name, so if someone steals it, we'll find another one.

Are there bots that trawl Github and register domains? If so, hey bots! I'm totally about to register domainregisteringbotssuck.org and helpimstuckinadomainfarm.co. Wouldn't want anyone to snap those up before I get round to it!

from python3statement.github.io.

From github help:

HTTPS is not supported for GitHub Pages using custom domains.

That just means GitHub will not redirect to https for CNAMEs. All the check box does is redirect http://python3statement.github.io to https://python3statement.github.io

from python3statement.github.io.

There will be no problems migrating to a custom domain

from python3statement.github.io.

My thinking is that it might also set HSTS to enforce that a browser that has visited the site will always go to the https URL. And maybe there's a restriction on an HSTS site redirecting to a plain http site. It's all pretty speculative, but I also don't think it's hugely important to use https on this site - we're not asking for any information or offering any downloads - so there's no rush to flip the switch.

from python3statement.github.io.

@takluyver if it does set HSTS that will only effect http://python3satement.github.io

from python3statement.github.io.

@takluyver what I'm trying to say is there's no harm in flipping the switch, there are only benefits

from python3statement.github.io.

Right, I understand that you're saying that, I'm just trying to ascertain if I actually believe it ;-).

Specifically, is a domain using HSTS allowed to redirect to a plain HTTP one? I don't have any particular reason to think it can't, but I also don't currently have clear evidence that it can, and it's a restriction that wouldn't entirely surprise me if it were true.

from python3statement.github.io.

is a domain using HSTS allowed to redirect to a plain HTTP one

Yes, otherwise that would break the web.

from python3statement.github.io.

@takluyver here's a demo https://graingert.co.uk/go-to-python3statement

from python3statement.github.io.

curl -i https://graingert.co.uk/go-to-python3statement
HTTP/1.1 302 Moved Temporarily
Date: Thu, 14 Jul 2016 17:10:53 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=redacted; expires=Fri, 14-Jul-17 17:10:53 GMT; path=/; domain=.graingert.co.uk; HttpOnly
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: http://python3statement.github.io/
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: redacted

from python3statement.github.io.

OK, thanks. It's not obvious to me that it would break the web if HSTS->http redirects failed, but the demo is compelling. :-)

from python3statement.github.io.

Done!

from python3statement.github.io.