Given that http redirects to https on diff.wikimedia.org, a HSTS header should probably be sent to force https connections.
I looks like this was set for blog.wikimedia.org in T105905 however it seems to not be sent after the move to diff
- diff.wikimedia.org
- techblog.wikimedia.org
- wikimediaendowment.org
- one.wikimedia.org
- policy.wikimedia.org
- soundlogo.wikimedia.org
- wikimediafoundation.org
https://office.wikimedia.org/wiki/WordPress also contains a row detailing support