Runar Ovesen Hjerpbakk

Science-based software development

Enabling https on a Jekyll site

The attentive reader has already noticed that hjerpbakk.com finally is served over https. Even though this is a wholly static website written using Jekyll, you my dear readers, deserve your privacy.

hjerpbakk.com now uses https

Switching to https was ridiculously easy. I’ve followed The 6-Step “Happy Path” to HTTPS by security expert Troy Hunt of have i been pwned? fame.

However I encountered one irritating problem: even on localhost, my internal links tried to load over https…

How to disable https locally

The only Jekyll specific change I made was changing the URL in _config.yml:

url: https://hjerpbakk.com

The config I use locally remained unchanged, _config-dev.yml:

url: http://localhost:4000

As such I did not understand how this problem could exist at all.

Backtracking Troy’s excellent post I re-read section 5 about Add The upgrade-insecure-requests CSP. The point is adding

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

to your header so all http requests are “upgraded” to https. I had done exactly this change, and that is why my local environment wanted to be more secure than it could.

Thus, the solution was to add a variable indicating whether the site is built for a local or a production environment.

# _config.yml
url: https://hjerpbakk.com
production: true
# _config-dev.yml
url: http://localhost:4000
production: false

I also changed my default.html template such that this security policy is only activated on the live site:

{% if site.production == true %}
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
{% endif %}