Should http use 301 redirect to https, not 302?
Everybody else on the web these days is using a 301 (permanent) redirect in this situation.
Is there a reason we're still using the 302 temporary?
It appears to be the default in apache, where our common-torproject.org-redirect stanza says
RewriteEngine On RewriteRule ^/(.*)$ https://www.torproject.org/$1 [R]
and according to https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_r, "Any valid HTTP response status code may be specified, using the syntax [R=305], with a 302 status code being used by default if none is specified."
I don't know where is the best place to make the project-wide change. Maybe it is "modules/roles/templates/static-mirroring/vhost/www.torproject.org.erb" in puppet? And then we would need to change each site one at a time? Maybe there is somewhere better? :)