Blog is missing (301 permanent) redirect from HTTP to HTTPS, also missing HSTS (SSL)
Speaking of http://blog.gitter.im/, it's missing any mechanism to redirect clients to the secure page under https://blog.gitter.im/. It means that those who visit the former, insecure URL, will forever use it unless manually updating up the protocol in the URL (which is quite unlikely in practice.)
To resolve that the HTTP server should use 301 permanent redirect to the HTTPS page. This is already being done on the main site: https://gitter.im/.
Ideally, it would be also nice to see HSTS
being implemented. It's a simple HTTP header returned by the server and it informs the
client (browser) to upgrade the protocol on the client side to HTTPS, saving an
insecure round-trip to the server for this purpose. This method is currently missing
from both blog.gitter.im
and the main site gitter.im
.
[ BTW, the lack of 301 redirect and HSTS also applies to all GitLab Pages served under
*.gitlab.io
, even if HTTPS is enabled (the default for new projects) on the
settings panel. ]
/cc @MadLittleMods