Last modified: 2014-07-23 03:34:02 UTC
Wikitech requires HTTPS connections (http://wikitech.wikimedia.org redirects to https://wikitech.wikimedia.org), so could we send a Strict-Transport-Security header, so that browsers will automatically use HTTPS even if a link points to HTTP?
Hi fn84b. Thanks for taking the time to report this! This particular problem has already been reported into our bug tracking system, but please feel free to report any further issues you find. *** This bug has been marked as a duplicate of bug 38516 ***
Wikitech can use a different, easier implementation compared to bug 38516 (wikipedia, etc.). As HTTPS can not be disabled in the preferences and as there is no geoip based blacklist for avoiding HTTPS, HSTS can be enabled by always sending the header like the reporter suggested, e.g. via the webserver configuration. (Although we might be able to use the same implementation it still needs to be enabled as wikitech is completely separated.) The apache configuration for wikitech is at: operations/puppet.git/templates/apache/sites/wikitech.wikimedia.org.erb
https://gerrit.wikimedia.org/r/148290 fixed this issue.