Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves. Rough steps: 1) Identify etherpad-mozilla.org subdomains that don't yet support HTTPS and file dependant bugs to fix them. 2) Ensure the apex/root domain (https://etherpad-mozilla.org/) serves an HSTS header that meets the requirements on https://hstspreload.org/ 3) Submit the domain using that same tool

We made a mistake when deploying this. The apex was meant to have HSTS, but doesn't, because we use a different server for the root redirect. Ugh. I will try to help untangle this and have Webops fix it next week. Any dependent domain that doesn't use SSL can break, we offer no SLA or other guarantees about any Etherpad-related service.

Etherpad is eventually heading for a decom, not going to make any changes here.