On 5 September 2017 at 09:31, Leon Timmermans <faw...@gmail.com> wrote:
> On Tue, Sep 5, 2017 at 6:34 AM, Ask Bjørn Hansen <a...@perl.org> wrote: > >> > Among things that should allow non-TLS: I would include /src/. Also >> the top-level RECENT files, things in /indices/. >> >> +1. >> >> Maybe it makes more sense to reverse the logic and just targeting >> whatever the most popular[1] web pages for browsers and count on HSTS >> having the browsers sort it out; basically an expanded version of what we >> did now with just the home page. > > I see a comment about something having broken cpanminus when someone doesn't have LWP::Protocol::https installed: http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html#comment-form Would (at least for the short term) just adding the HSTS header to every request be the best solution? Then browsers get told to switch to secure and other clients can do either. n.b versions of Opera has some issues with TLS 1.2 not being enabled and getting disabled again https://github.com/metacpan/metacpan-web/issues/1967 Thanks Leo
