MikeJones here's the redirect flow when you access https://seekadventure.net/:

$ curl -I https://seekadventure.net/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 05 Jan 2019 13:13:33 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://www.seekadventure.net/
Strict-Transport-Security: max-age=2592000; includeSubDomains; preload

$ curl -I http://www.seekadventure.net/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 05 Jan 2019 13:14:04 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://www.seekadventure.net/

However your browser will skip http://www.seekadventure.net/ and use https://www.seekadventure.net/ right away after the first redirect because you're serving an HSTS header telling the browser to always use HTTPS on your website.

If you inspect the "network" tab of your browser you will still see that the http:// url is returned in the Location header of the first response. It's a bit easier to see with a command line utility like curl as I did above.

Browsers without HSTS support will go through the 2 redirects and the connection could get hijacked when hitting http://www.seekadventure.net/.

I see you added the HSTS preload flag but you can see https://hstspreload.org/ itself refuses to preload it because you're serving that insecure redirect, and your max-age also does not qualify for preload 😉

      clarkwinkelmann Thanks for the tip! I am almost there, but still running into an issue on my NGINX server.

      So I navigated to /etc/nginx/sites-available and I edited my seekadventure.net file there.

      I edited my HST line to say this:

       # Security headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

      But when I put it into the https://hstspreload.org/ I still get the max age to low... it's not reading my new number.

          MikeJones I do get the current max-age when accessing your website and the preload website also doesn't complain anymore when I try.

          Maybe you had not restarted/reloaded nginx (or the server) ?

          There's still the redirect issue preventing preload through.

              clarkwinkelmann forgot to update I found where I needed to double tap my max-age. I am still looking into the redirect issue though.

                Thought everything with our forum was perfect, until we got a D and the following report:

                Your vendor folder is currently being served by your webserver. This could expose untrusted scripts to the world and compromise your security. Use a rewrite rule to prevent your webserver from serving this folder.

                Any idea how to fix that on a shared hosting?

                  MikeJones yes there's one listen for www. and one for bare domain, they could be merged but it should work fine the way it is.

                  The redirect "issue" is on line 5. Replace return 301 http://www.seekadventure.net$request_uri; with return 301 https://www.seekadventure.net$request_uri;

                  user1993 great if it's fixed 👌

                        2 months later

                        Hi guys, following a suggestion from @luceos I implemented a simple first version of a forum showcase feature at https://lab.migratetoflarum.com/showcase

                        The idea is as follow: any forum that has been scanned publicly (without checking "hide from homepage") will be added to the showcase tab. A ping is made every few weeks to check if the forum still exists and to update the metadata.

                        Anybody can scan your forum and therefore get it on the showcase (which is kind of the point here actually), but I know not everybody will want to end up in the showcase. So I also took the opportunity to implement a proper opt out feature at https://lab.migratetoflarum.com/opt-out

                        To opt out, you will have to add a meta tag to your forum, and it will instruct the lab to never show your forum in public results, including both the showcase and public scans. Users of the lab will still be able to scan the forum, but no link will appear on the homepage of the lab.

                        I will probably retroactively add some previously scanned forums to the showcase once I'm sure everything is working correctly. Right now I've only pinged some well known forums to get started.

                        Let me know if you notice any issue, it's an early version of the feature. Consider contacting me privately via the email in the footer if you have issues or concerns with the opt out feature.

                        If you see a particular issue with your website, consider opening a GitHub issue so we can better track the resolution.

                        Planned features (coming soon ™️) :

                        • forum screenshot
                        • ability to order by number of discussions/users

                        What do you think of the feature ? Any suggestion for future updates ?

                          What you forgot to mention is that this alleviates the issue with the Showcase tag and the discussions related to showcasing existing Flarum forums. The ping mentioned, checks whether the site is still serving an active Flarum installation and as such the Lab is able to provide an index/list of Flarum installations still used in production.

                          I think there's huge potential in such an index, thank you for jumping onto the idea 🤗

                          matteocontrini language is totally feasible. You can't hide the language packs you use in Flarum, so even if the lang attribute is not correctly configured I should be able to get the language.

                          Question for all: would you be interested in a "MigrateToFlarum Showcase" extension that you can install on your forum so the lab can get better statistics with less requests, as well as letting you able customize a few things ?

                          For example, the following could be done:

                          • Get the number of discussions without hitting your API, as well as get number of discussions above 50k
                          • Get the number of discussions if your forum requires registration to see discussions
                          • Get the number of private discussions. Based on settings, could include discussions behind a paywall or private discussions between users for example
                          • Get the number of users even if you don't allow user listing
                          • Get activity stats
                          • More frequent update of statistics
                          • Automated addition to the showcase without having to scan the forum first
                          • Ability to opt out from the lab without manually adding the meta tag
                          • Ability to customize the forum description for the showcase
                          • Ability to select showcased discussions or pages from the forum
                          • Ability to select your forum market category or audience to sort out forums in the showcase

                          These are just the ideas I had. They would all be optional if implemented. There's no timeline for such an extension, I'd love to hear your thoughts first.

                          Also, what if it was a paid extension, so it supports the lab and offers you a bit more visibility in the showcase ?

                            Now live on the lab:

                            • If your forum url ends with a public folder, we check for misconfigured web root and offer a link to https://flarum.org/docs/install.html#customizing-paths
                            • Made the exposed storage folder test compatible with beta 8
                            • In the showcase forums are now sorted by discussion count by default
                            • Added the ability to sort by discussion and user count
                            • Descriptions now show under beta 8 forums in the showcase
                            • And last but not least... SCREENSHOTS !

                            Check out the showcase here https://lab.migratetoflarum.com/showcase

                            Not all websites have gotten their screenshots yet, this should come with the next automated refresh for those I didn't manually trigger.

                            Already noticed:

                            I realized a few websites didn't load fast enough and have a "loading" page visible.

                            Due to how the lab works, a forum will only be removed from the showcase if it has not been a Flarum for multiple weeks. However the screenshots will continue to be made, hence some error pages getting in the screenshots. I'll check how to work around that.