Package: www.debian.org Severity: wishlist https://www.debian.org/ (and other Debian sites) serve a Strict-Transport-Security header to enable HSTS. Please consider enabling preloading as well; see https://hstspreload.appspot.com/ for details. Enabling preloading would ensure that even if a user types "debian.org" into their browser, the very first request from that browser will use HTTPS rather than HTTP.
Thanks, Josh Triplett -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
