When setting up a new Discourse forum, I recently forgot to enable the
force https setting
This isn’t just a security issue, it also prevents internal HTTPS links from getting the onebox treatment.
Because this setting should usually be enabled anyway, I’d suggest that the setup wizard should prompt to enable it, at least if the user is viewing the wizard over HTTPS. (In that case, I’d even consider enabling it without prompting…)