Feature request: HSTS for GitHub pages

There is already an issue on isaacs/github¹ about this, but I’m not sure whether that got much attention. I thought this might be a better place to ask: Can we expect HSTS support to be available for GitHub pages at some point? The current lack of HSTS makes GitHub somewhat less secure than alternatives and it seems like a rather simple feature to implement. Thanks for considering!

¹ with 120 thumbs up reactions at the time of writing

We seem to have this already, but not in every situation. And it doesn’t appear to be well documented, so I’ll see about getting on top of that.

HSTS seems to work automatically on Pages sites created by users who created their accounts after the afternoon of June 15, 2016. The key here is when an account is created, not the pages site itself.

The good news is that a pages site created by an organisation created after that date will us HSTS. I’ve checked it out with my own pre-2016 account (no) and a brand new organisation account owned by my account (yes).

So your personal username.github.io can’t have it just yet (we’re trying to not break old pages sites for now) but if you create a new organisation for a pages site, you’ll have it there.

I hope that makes sense!

Well, the site I’m most interested in having HSTS for is already in an org, which was probably created around April 2016 :sweat_smile:

Thanks for the quick reply though :slight_smile: