tl;dr: Check that your RSS reader is using an HTTPS URL, because the HTTP one will start redirecting soon, and you probably want to find out if it breaks.

Edit from four days later: I’ve flipped the switch on this and, from the logs, it doesn’t seem to be messing anybody up.

It’s been just about four years since I finally got HTTPS and HTTP/2 working for this site. During that time, I’ve seen most incoming traffic from humans transition over to encrypted connections. (HTTP/2 connections are also significantly faster for both my server, and your user experience, than earlier editions.)

You might wondering what I mean by “traffic from humans.” Well, it turns out the vast majority of my remaining unencrypted HTTP traffic (ye olde port 80) is from a combination of:

• RSS readers (80%)
• Shady crawler bots that don’t check robots.txt (15%)
• Google, for some reason – I’ve poked them about it (~4%)
• Requests that may be from actual humans (1%ish)

Since I deployed httpd2 back in 2020, I’ve been waiting for an opportunity to turn off publicfile, the HTTP server I’ve used since time immemorial. publicfile has served well, but the code is as archaic as its protocol support, its license makes it difficult to maintain, and (frankly) I’m less excited about appearing to support DJB and his software ecosystem these days.

So, I figure I will do the following:

1. Respond to all HTTP requests with a 301 redirect to HTTPS (…something publicfile can’t actually do out of the box), and
2. Turn on the Strict Transport Security header.

For best results, check your RSS reader today and verify that it’s using an HTTPS URL. It should follow the redirect when I enable it, but, you never know.