Git: HTTPS redirect for gitforwindows.org

Created on 18 Jan 2018 · 5Comments · Source: git-for-windows/git

[x] I was not able to find an open or closed issue matching what I'm seeing
- [x] The git-for-windows.github.io repository does not have its own Issue section.

Please redirect to HTTPS on gitforwindows.org. The site itself is available over HTTPS; it just doesn't have redirects.

I recognize that the "Download" buttons all link back to HTTPS here on git-for-windows/git/releases, but if the site itself is MITMed, the links can be changed. I think it's (at least mildly) dangerous that the official website for an important software download has a non-HTTPS link in Google's index.

Thanks for all you do.

Source

michaelblyons

Most helpful comment

Okay, the HTTP -> HTTPS redirect is in place. I'm actually going to defer turning on HSTS; since HSTS is basically a permanent big hammer, let's make sure that we're happy with all our certificates and hosting. I think _not_ having HSTS is acceptable until then, since we are not providing downloads from https://git-for-windows.org/ (those are provided by GitHub) and we are not asking for information.

Since we've satisfied this request, I'm closing it. Thanks @michaelblyons for pointing this out. 😄

ethomson on 7 Feb 2018

❤2

All 5 comments

@ethomson any idea how to do that?

dscho on 18 Jan 2018

Agreed, we should have HSTS here. I’ll take a look.

ethomson on 18 Jan 2018

👍2

I turned on redirections from HTTP -> HTTPS - and Cloudflare has an option to rewrite links in the page. I did _not_ yet turn on HSTS, but I'll do so if everything seems okay after this change.

ethomson on 5 Feb 2018

👍1

@ethomson just tested the HTTP -> HTTPS redirect is occurring in Edge, Chrome, Firefox and even IE11 in Win10. All looks good here.