we've got the certs, so we should staple down dev.gentoo.org to always use https
Ya, hsts is good, just make sure that hpkp isn't enabled as it's takes a lot more care. https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625
This looks complete: $ curl -IL http://dev.gentoo.org HTTP/1.1 301 Moved Permanently Date: Thu, 16 Jun 2022 00:36:34 GMT Server: Apache Permissions-Policy: interest-cohort=() Referrer-Policy: strict-origin-when-cross-origin Location: https://dev.gentoo.org/ Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 302 Found Date: Thu, 16 Jun 2022 00:36:34 GMT Server: Apache Location: https://www.gentoo.org Content-Type: text/html; charset=iso-8859-1 HTTP/2 200 server: nginx content-type: text/html last-modified: Thu, 16 Jun 2022 00:31:12 GMT etag: "62aa79d0-5aa2" strict-transport-security: max-age=31536000 x-frame-options: SAMEORIGIN x-content-type-options: nosniff accept-ranges: bytes date: Thu, 16 Jun 2022 00:36:35 GMT via: 1.1 varnish age: 0 x-served-by: cache-sjc10033-SJC x-cache: MISS x-cache-hits: 0 x-timer: S1655339795.130308,VS0,VE705 vary: Accept-Encoding content-length: 23202
