On 05/11/13 20:38, Yoav Nir wrote: >> Enabling 'HTTP Strict Transport Security' (HSTS, RFC6797) might be a >> good first step. > HSTS means that HTTP is off (or just redirects you to HTTPS). The first S stands for "strict" and we mean it. :-) > Well, not entirely; the redirect is strictly not part of HSTS. Without a redirect we give visitors an option; if you come in via http, fine... If you come in via https with a browser that understands HSTS, then it's https from that moment on. And once we're all used to that, we can add the redirect ;-) -- Marco