<div dir="ltr">What happens if someone types in <a href="http://noisebridge.net">http://noisebridge.net</a>? There are plenty of links out there leading to us without SSL.</div><div class="gmail_extra"><br><div class="gmail_quote">On 8 April 2016 at 10:56, Patrick O'Doherty <span dir="ltr"><<a href="mailto:p@trickod.com" target="_blank">p@trickod.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">hey folks,<br>
<br>
Since the GA of LetsEncrypt I've wanted to make it a pattern that all<br>
noisebridge services operate over TLS.<br>
<br>
It occurred to me this morning that we could theoretically force our own<br>
hands with this by setting the includeSubdomains flag on the HSTS header<br>
on <a href="http://noisebridge.net" rel="noreferrer" target="_blank">noisebridge.net</a>, meaning that any service that we run on a subdomain<br>
*must* run over HTTPS. [0]<br>
<br>
I know there's a few subdomains like <a href="http://lists.noisebridge.net" rel="noreferrer" target="_blank">lists.noisebridge.net</a> which would<br>
need to be upgraded immediately, but I can take care of that.<br>
<br>
Is there any good reason *not* to do this?<br>
<br>
p<br>
<br>
[0] -<br>
<a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security" rel="noreferrer" target="_blank">https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security</a><br>
<br>
<br>_______________________________________________<br>
Rack mailing list<br>
<a href="mailto:Rack@lists.noisebridge.net">Rack@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/rack" rel="noreferrer" target="_blank">https://www.noisebridge.net/mailman/listinfo/rack</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Rubin<br><a href="mailto:rubin@starset.net" target="_blank">rubin@starset.net</a><br></div>
</div>