As the forum has a registration/login form and personal data (email, password…) are transmitted, it would be good to have the connection encrypted - at least login/registration pages.
SSL certficates are available for free these days (Letsencrypt, StartSSL…) and CPU-overhead for encryption is not very much as most modern CPUs support accelerated encryption through AES-NI.
Looks good, thanks!
Just one thing: It would be good to have a redirect vom http:// to https:// as there might be still links around using http:// (e.g. the mail notification took me to http://).
Also some SEO sites claim Google doesn’t like “duplicated content” (though I don’t know if Google really detects http/https as duplicated content…)
@ivankravets Whoops hope you saw it already: http://platformio.org is currently not available due to “405 Method not allowed” error.
Maybe caused by the https redirect?
Do you know how to fix it? I don’t have any redirects. Try to check from any HTTP clients and it works. Looks like browser automatically tries to use HTTPS
No, I’m using Chrome. Same problem in Incognito mode.
I tried this in a different browser and Chrome on a different PC and it works. In Chrome on my PC - even in incognito mode - I get redirected to https:// which is not working (Not anymore error 405 but a non-valid certificate, only valid for community. subdomain).
My assumption: This is probably due to “Strict-Transport-Security” (HSTS) header. I tried opening platformio.org using HTTPS and I assume that the HSTS header was sent by your server.
That why my browser requires https for your domain now - Even in Incognito mode (HSTS mode is persistent in Chrome even between incognito & normal tabs).
The good news: It shouldn’t be an issue for most people and I can look how to reset HSTS storage for my browser.
If there hasn’t been any other link to https:// and nobody tried it, there shouldn’t be an issue for other users.
But I strongly recommend to be very careful with HSTS header. Some privacy concerned people might try to access any webpage using HTTPS (There are even browser plugins like “HTTPS Everywhere”).
If that webpage has broken HTTPS or does not intend to keep HTTPS for a long time but still sends the HSTS header, its broken for these people and its difficult to find the reason.
As you set HSTS for community.platformio.org, you are now kind of forced to keep https up and running for this subdomain for a long time (min. 180 days to be precise, as its set to 15768000 seconds). If you for some reason disable https, recurring users will get an error message because their browser forces redirect to https.
Thanks, it fixed the issue. however thats a reminder for me why I’m not yet using HSTS for my websites - although it might be a good idea regarding security
Off topic, just a thought while browsing the webpage again: You could add a more visible donation button. Either I overlook it or there is currently only a small link at the bottom of the page.
So Chrome still hasn’t fixed HSTS super cookies? (you can actually track people persistently in incognito by associating them via ~32 domains and setting HSTS on some of them, then reading that information)
Looks like they leak HSTS state from normal mode to incognito mode but not vice versa.
E.g if you visit a page in incognito for the first time and get a HSTS header, it won’t be available in normal mode. But the HSTS storage from normal mode seems to be respected in incognito though.
I don’t like this behavior either - but it looks like Google decided to keep this as it’s better for security - although it’s bad for privacy…