Enforcing HTTPS across all services
Currently many of the resources that our production machine serves can be retrieved both with http or https protocols.
As far as I understand, the standard these days is to always use https, no matter what the resource is. This ensures that all outgoing data is always properly secured (we don't have to selectively enable https, as that is prone to mistakes), and that there will be no issue with resources interacting with different protocols.
Doing this should be relative easy: we will still accept incoming requests through http, but these requests will always be redirected to https. This can be done through our nginx server, with something like this. You can see that most sites do something similar, e.g. if you try to load this issue page with http, Gitlab will automatically switch to https.
What do you think?