Now that we've switched production to HTTPS-only, it would be great if our blog followed suit.
Initially it made sense to keep the blog on HTTP, so that the message could get through even to users that were having issues with HTTPS; however, now sufficient time has passed and we should actually move this forward.
The blog already works fine over HTTPS, with a certificate of our own.
Switching to HTTPS-only involves asking Automattic (our blog hoster) to do the following:
- Make sure embedded resources to http:// URLs within the page are https (I don't currently see any, but someone should double-check)
- Switch <link rel=canonical> to HTTPS; right now it's forced to http://, which means that search engines always point to our blog over HTTP. Same but less important for <link rel=shortlink>.
- Permanently redirect (301) all URLs (/.*) to their HTTPS equivalent.
- Set Strict-Transport-Security header to max-age=31536000; includeSubDomains; preload