<p>There are technical reasons which mean that enabling HSTS is not likely to be possible - we did try it once but it broke any site that was trying to use OAuth access to our API with http URLs because the client would sign an http URL but the browser would silently convert it to https meaning that the signature didn't match.</p>

<p>So we would only be able to enable HSTS once we had somehow persuaded every site that does OAuth against us to switch to HTTP URLs, and we don't even know how big that set is, let alone how to go about contacting them.</p>

<p>I don't think <a href="https://github.com/openstreetmap/openstreetmap-website/pull/939" class="issue-link js-issue-link" data-url="https://github.com/openstreetmap/openstreetmap-website/issues/939" data-id="63570548" data-error-text="Failed to load issue title" data-permission-text="Issue title is private">#939</a> is the one I was thinking of but there have been various discussions over the years where people have objected to forcing https because of the impact on people using lossy connections.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-258439266">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLSrnkAlcdtrUyD4Tex6Xe4uO5K0Kks5q6zsYgaJpZM4KhSPK">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ABWnLWFLz1HC9UcpJVIIf1fMvBC0ygwBks5q6zsYgaJpZM4KhSPK.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-258439266"></link>
  <meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@tomhughes in #1341: There are technical reasons which mean that enabling HSTS is not likely to be possible - we did try it once but it broke any site that was trying to use OAuth access to our API with http URLs because the client would sign an http URL but the browser would silently convert it to https meaning that the signature didn't match.\r\n\r\nSo we would only be able to enable HSTS once we had somehow persuaded every site that does OAuth against us to switch to HTTP URLs, and we don't even know how big that set is, let alone how to go about contacting them.\r\n\r\nI don't think #939 is the one I was thinking of but there have been various discussions over the years where people have objected to forcing https because of the impact on people using lossy connections."}],"action":{"name":"View Pull Request","url":"https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-258439266"}}}</script>