I propose we pull the trigger and enable HSTS on many of our sites; we already force them anyway by doing a soft 302 redirect, but really we should set HSTS flags.
This includes things like
- www.h.o and new-www.h.o
- ghc.haskell.org AKA Trac
Planet and Hackage may have to stick around with HTTP availble to not interrupt existing clients.