You may have seen a few updates in the changelogs around security and all that kind of fun stuff. Nothing happened on the backend, and I hope nothing ever does happen. Ultimately, I am just keeping our site ahead of the curve when it comes to any kind of vulnerabilities that can impact you all.
The most recent change is the riskiest for usability. I just added a Content Security Policy to the site. This essentially limits what other domains can do things on the forums. The main goal here is to prevent any kind of cross site scripting from untrusted sources. I get to create a handy whitelist of what domains can perform what kind of actions.
I did some click through testing of a few different functions and they appear to be working. All the testing was done in report only, so not I am flipping the switch to enforcement.
If you notice anything weird, mostly around content not loading (embeds, images, etc). Please post here.
Oh, and a big side effect of this; if you try and use the built in embedding on the forums, some sites may not function right. The vast majority should work since I am building the embed via iframely. For some of them (like imgur) they are using native embeds. These have to be https links in order to properly embed.
Part of the requirements I have setup is that all content on the forums is displayed in https. It gives us the nice secure flag in Chrome!
I just submitted the site to be added to the fancy HSTS preload list.
This shouldn’t make a difference at all for any browsing now. I already had HSTS setup, and had a redirect. Being on the HSTS list tells all browsers to always force https, even if you have not been to the site before. Some light reading can be found here about it: https://https.cio.gov/hsts/
I am pleased to announce that we are now on the HSTS preload list. This means that all major browsers will know to only allow https connections to this site! This should happen as those browsers get updated.
