I see a ton of warnings about making sure every resource is HTTPS (which I’ve done) before using force-https in the Discourse security settings. What happens if I don’t?
If my background URL in my CSS code is only HTTP, will that just fail to load until I update my CSS to a proper HTTPS link http://example.com/uploads/default/original/1x/something.jpg vs https://example.com/uploads/default/original/1x/something.jpg, or does the entire site catastrophically destroy itself?
You can test by going to your secured site (you might need to go incognito) and use Chrome (or similar) to inspect – then check the Security tab. It will list anything not being served over HTTPS that you may have missed.
The thing that we see frequently is social logins not redirecting to the HTTPS URL.
My site is secure, I made sure of that when my padlock wasn’t showing up.
My big question is what happens if someone were to force it regardless? Does the site become inoperable until a file update and rebuild is forced, is it impossible to connect, does it show HTTPS without actual security (like a misconfigured cloudflare)?
It depends on what isn’t secure. If it’s images you’ll see a security error, if it’s an SSO redirection then SSO will fail. I imagine there are thousands of other possible outcomes depending on what the specific missing content is.
This isn’t my area of expertise. @supermathie can probably elaborate.
The behaviour depends on the browser in question, but in general I think you’re safe assuming:
images will load (with a warning)
other resources such as .js or .css will refuse to load
If you want to be extra careful before forcing SSL, visiting Chrome’s net-internals page: chrome://net-internals/#hsts and adding your domain to the STS set will let your “preview” how your browser will behave with “Force SSL” enabled:
One thing you can also do to verify SSL is fully operational - do the discobot tutorial with a new user and go until the certificate is rendered. If that SVG rendering fails, this is most likely an SSL error then, meaning to say that Ruby’s SSL verification failed.