Cheat.sh does not auto redirect to https

[srjennings]

trafficstars

Accessing http://cheat.sh does not automatically redirect to https.

[srjennings]

Hm...now it does... weird!

[srjennings]

Cookies were to blame! Ha. It does not auto redirect to https://... screenshot

[chubin]

@deyjcode Steve, you are right, it does not redirect. The problem is that many users access it directly with curl from the cli (curl cht.sh), without specifying the protocol, and it would be not a good idea to send the a redirection instead of the response.

But we could activate the redirection at least for the browser version

[srjennings]

Good point. I think having it just activated for the browser would be a good compromise!

[TeFiLeDo]

@chubin To be honest, I disagree. While curl doesn't follow redirects on its own, I don't think it's too much to ask users to add the -L parameter. That beeing said, I do understand why you wouldn't want to make such a change without a few weeks notice.

I don't really know if the HTTP standard allows it, but maybe you could explain this to curl users in the body of the redirection response.

As for the cht.sh client I don't really understand why it doesn't use HTTPS by default. If it actually does, I don't understand why you'd bring it up.

[chubin]

cht.sh uses HTTPS by default actually:

https://github.com/chubin/cheat.sh/blob/0df9db42214dc0bda0f474171583dcedbbfe5717/share/cht.sh.txt#L38

What we also could do here to encourage HTTPS usage, we can add a warning message when HTTP is used. Something like

You are using insecure connection. Use curl https://cht.sh instead.

Another option: always, when HTTPS is used, return the 301 response, but still with the correct body, and maybe with additional warning about -L usage.