Enabling https on a Jekyll site
The attentive reader has already noticed that hjerpbakk.com finally is served over https. Even though this is a wholly static website written using Jekyll, you my dear readers, deserve your privacy.
Switching to https was ridiculously easy. I’ve followed The 6-Step “Happy Path” to HTTPS by security expert Troy Hunt of have i been pwned? fame.
However I encountered one irritating problem: even on localhost, my internal links tried to load over https…
How to disable https locally
The only Jekyll specific change I made was changing the URL in _config.yml:
url: https://hjerpbakk.com
The config I use locally remained unchanged, _config-dev.yml:
url: http://localhost:4000
As such I did not understand how this problem could exist at all.
Backtracking Troy’s excellent post I re-read section 5 about Add The upgrade-insecure-requests CSP. The point is adding
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
to your header so all http requests are “upgraded” to https. I had done exactly this change, and that is why my local environment wanted to be more secure than it could.
Thus, the solution was to add a variable indicating whether the site is built for a local or a production environment.
# _config.yml
url: https://hjerpbakk.com
production: true
# _config-dev.yml
url: http://localhost:4000
production: false
I also changed my default.html template such that this security policy is only activated on the live site:
{% if site.production == true %}
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
{% endif %}