id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc
396	Better documentation for HTTPS redirects	geofft		"Apparently the process of making your site automatically redirect from HTTP to HTTPS is way too complicated even by itself, and gets more awful when it interacts with pre-existing `.htaccess` files. See [https://help.mit.edu/Ticket/Display.html?id=2670510 RT #2670510], which quotes the following configuration:

{{{
RewriteEngine On
# Redirect basically everything to https://feed.mit.edu/
RewriteCond %{SERVER_NAME}
^(feed|feed\.scripts|feed\.scripts\.mit\.edu|scripts|scripts\.mit\.edu|scripts-cert|scripts-cert\.mit\.edu)$
[NC]
RewriteRule ^(.*)$ https://feed.mit.edu/$1 [B,noescape,redirect=301]

# Force everything to HTTPS, so we don't rely on application-level
# redirects, which can fail
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [B,noescape,redirect=301]
}}}

It'd be pretty useful to make this part of official documentation, either by writing it up as an FAQ, or setting up something vaguely along the lines of the `/__scripts/needcerts` trick to handle redirections. (I suppose that won't work directly, but can we direct users to include a global `.htaccess` snippet from some path, or something?) In particular, the way in which that code incorporates implementation details of scripts (the scripts and scripts-cert URLs) would be nice to encapsulate from users, if possible

It's worth noting that this is in practice a prerequisite for turning on [http://dev.chromium.org/sts HSTS] on your site and having it be useful to anyone. Possibly this documentation should also tell you how to enable HSTS via a command in your `.htaccess`.

See also #187, which is !WordPress-specific, and brings up the point that this gets even more complicated when trying to use it in concert with certificate authentication."	enhancement	new	normal		documentation