Determine HTTP to HTTPS upgrade mechanism

[kjetilk]

Discussed briefly in #26 , there are several upgrade mechanisms from HTTP to HTTPS. We currently suggest 301 but it doesn't seem very settled what the semantics of 301 in relation to RDF, even though it has been discussed for a long time. It was raised in the TAG but doesn't seem to have a conclusion.

There's also RFC2817.

[acoburn]

Somewhat orthogonal to the 3xx response code discussion, but perhaps we should also recommend the use of the Strict-Transport-Security header, defined in RFC 6797.

[elf-pavlik]

Could you possibly define the problem a little bit more? I thought Solid will require HTTPS, I think OAuth2 also requires it.

[RubenVerborgh]

I thought Solid will require HTTPS

It's a SHOULD. (There are cases, such as testing and behind a reverse proxy, where you want the pod itself to run over HTTP.)

But even when HTTPS is required/used, we still need to be able to react to regular HTTP requests, namely by switching them to HTTPS. This issue specifies how.