[sjwright]

> old visitors were rejected due to the policy

Also because their links and bookmarks would have all failed.

[shawnz]

But HSTS also blocks the workaround of "just Google it and find the page again"

[LinuxBender]

You can use the webmaster tools on Google to fix the indexing. It takes a few days, but worth the effort.

[MichaelApproved]

The issue is that the browser won't let you visit the insecure URL, regardless of how you get to it.

It won't work because the HSTS setting the visitor got months ago told it not to.

[LinuxBender]

That is exactly what I am talking about.

In the webmaster tools, you want to get google to remove all references to the non https versions. Ensure https is up on all URL's, then use their tools to re-index everything and remove all references to http://

Are you saying you can't set up https on some of your URL's?

[shawnz]

The argument here is that enabling HSTS can be dangerous because if you enable it and then later become unable to serve HTTPS for some reason, you will have no way of turning it off. Even if you get your clients to manually edit their bookmarks to use HTTP again, their browsers will just rewrite the url to HTTPS anyway.

There's no issue with switching FROM HTTP to HTTPS: that's easy, just redirect them. The issue is if you have to switch back.

[LinuxBender]

I completely understand. The bookmark scenario is even easier than the google links. You simply set up https and the cached HSTS entries will work.