Switch to `https` when possible

CONTRIBUTING.md

@@ -17,7 +17,7 @@ and [submitting pull requests](#pull-requests), but please respect the following
 restrictions:
 
 * Please **do not** use the issue tracker for personal support requests (use
-  [Stack Overflow](http://stackoverflow.com) or IRC).
+  [Stack Overflow](https://stackoverflow.com) or IRC).
 
 * Please **do not** derail or troll issues. Keep the discussion on topic and
   respect the opinions of others.
@@ -38,7 +38,7 @@ Guidelines for bug reports:
    latest `master` or development branch in the repository.
 
 3. **Isolate the problem** — ideally create a [reduced test
-   case](http://css-tricks.com/6263-reduced-test-cases/) and a live example.
+   case](https://css-tricks.com/6263-reduced-test-cases/) and a live example.
 
 A good bug report shouldn't leave others needing to chase you up for more
 information. Please try to be as detailed as possible in your report. What is
@@ -90,7 +90,7 @@ accurate comments, etc.) and any other requirements (such as test coverage).
 Adhering to the following this process is the best way to get your work
 included in the project:
 
-1. [Fork](http://help.github.com/fork-a-repo/) the project, clone your fork,
+1. [Fork](https://help.github.com/fork-a-repo/) the project, clone your fork,
    and configure the remotes:
 
    ```bash
@@ -117,7 +117,7 @@ included in the project:
    ```
 
 4. Commit your changes in logical chunks. Please adhere to these [git commit
-   message guidelines](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
+   message guidelines](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
    or your code is unlikely be merged into the main project. Use Git's
    [interactive rebase](https://help.github.com/articles/interactive-rebase)
    feature to tidy up your commits before making them public.

doc/TOC.md

@@ -15,7 +15,7 @@
 
 ## Related projects
 
-* [HTML5 Boilerplate](http://html5boilerplate.com) — professional front-end
+* [HTML5 Boilerplate](https://html5boilerplate.com) — professional front-end
   template.
 * [Server configs](https://github.com/h5bp/server-configs) — Configs for
   other web servers.

doc/common-problems.md

@@ -10,7 +10,7 @@ Depending on the server architecture, it's possible to get the following error:
 > could not build the types_hash, you should increase either
 > types_hash_max_size: 1024 or types_hash_bucket_size: 32
 
-Nginx uses [hash tables](http://nginx.org/en/docs/hash.html) to speed up certain
+Nginx uses [hash tables](https://nginx.org/en/docs/hash.html) to speed up certain
 tasks, usually the default value is sufficient but depending on the actual server
 config this error might be encountered. The solution is to do exactly what the
 error message suggests, by adding to nginx.conf the following:

doc/examples/hotlink-protection.md

@@ -9,7 +9,7 @@ assets.
 ## valid_referers
 
 the simplest way to protect assets from hotlinking is to use
-[valid_referers](http://nginx.org/en/docs/http/ngx_http_referer_module.html).
+[valid_referers](https://nginx.org/en/docs/http/ngx_http_referer_module.html).
 It's easy to use, this would be included in a relevant location block:
 
 	valid_referers none blocked example.com *.example.com;
@@ -19,7 +19,7 @@ It's easy to use, this would be included in a relevant location block:
 
 ## secure_link
 
-The [secure_link module](http://nginx.org/en/docs/http/ngx_http_secure_link_module.html)
+The [secure_link module](https://nginx.org/en/docs/http/ngx_http_secure_link_module.html)
 provides a flexible, more robust means of protecting assets from being hotlinked or
 downloaded outside from outside the web itself.
 
@@ -48,7 +48,7 @@ Example nginx config:
 
 This requires implementing server-side logic to generate links of the form:
 
-    http://example.com/protected/url.ext?md5=hash&expires=timestamp
+    https://example.com/protected/url.ext?md5=hash&expires=timestamp
 
 where:
 

doc/h5bp.md

@@ -69,7 +69,7 @@ header to permit only a finite list of domains to make AJAX requests.
 
 ### no-transform.conf
 
-[No transform headers](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5)
+[No transform headers](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5)
  prevent mobile providers from modifying/optimizing served content. This file
 contains the directive only and should be included only when it is specifically
 desired for the server response to remain unmodified.
@@ -83,11 +83,11 @@ This file contains sane-default config for setting up nginx to handle SSL traffi
 
 ### ssl-stapling.conf
 
-[OCSP staping](http://en.wikipedia.org/wiki/OCSP_stapling) relates to handling
+[OCSP staping](https://en.wikipedia.org/wiki/OCSP_stapling) relates to handling
 the revocation of SSL certificates, this config file turns on stapling using
 Google's DNS resolver.
 
 ### x-ua-compatible.conf
 
 This adds a header to force internet explorer to use the highest mode available.
-As of [Internet explorer version 11 this is no longer necessary](http://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode).
+As of [Internet explorer version 11 this is no longer necessary](https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode).

doc/how-nginx-works.md

@@ -4,13 +4,13 @@
 # How Nginx works
 
 If you're familiar with any other webserver, some aspects of
-[the way Nginx works](http://nginx.org/en/docs/http/request_processing.html)
+[the way Nginx works](https://nginx.org/en/docs/http/request_processing.html)
  can cause confusion. This document aims to highlight differences or features
 which may trip up new users.
 
 ## Nginx will only use one location block
 
-A [location block (directive)](http://nginx.org/en/docs/http/ngx_http_core_module.html#location)
+A [location block (directive)](https://nginx.org/en/docs/http/ngx_http_core_module.html#location)
 defines the behavior for a given request which matches the location url pattern. The block used
 is whichever is the most specific for the given request, the rules for
 precedence can be found in [Nginx's wiki](http://wiki.nginx.org/HttpCoreModule#location).

doc/nginx-conf.md

@@ -7,26 +7,26 @@ The `nginx.conf` file is the main config file for nginx, which either defines
 or includes the whole configuration for the server.
 
 When editing or defining an nginx configuration file - take care to note in
-which [context](http://nginx.org/en/docs/beginners_guide.html#conf_structure)
+which [context](https://nginx.org/en/docs/beginners_guide.html#conf_structure)
 a directive applies.
 
 Below are some notes on a few of the more important/commonly-edited directives.
 For detailed information on any particular directive, please see
-[the official documentation](http://nginx.org/en/docs/).
+[the official documentation](https://nginx.org/en/docs/).
 
 ## user
 
-The [user directive](http://nginx.org/en/docs/ngx_core_module.html#user)
+The [user directive](https://nginx.org/en/docs/ngx_core_module.html#user)
 indicates which user the server will run as. This is typically a user
 specifically for web usage such as "www" "www-data".
 
 The webserver user, and file permissions for any application, should be defined/chosen
-following [the principle of least privilege](http://en.wikipedia.org/wiki/Principle_of_least_privilege)
+following [the principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)
 i.e., sufficient privileges to function correctly but no more than that.
 
 ## worker_processes
 
-The [worker_processes directive](http://nginx.org/en/docs/ngx_core_module.html#worker_processes)
+The [worker_processes directive](https://nginx.org/en/docs/ngx_core_module.html#worker_processes)
 broadly defines the number of connections nginx can process.
 
 As of version 1.2.5+ and 1.3.8+, nginx supports the value "auto" which will
@@ -35,7 +35,7 @@ the number of CPUs is a good default/starting point.
 
 ## error_log
 
-The [error_log directive](http://nginx.org/en/docs/ngx_core_module.html#error_log)
+The [error_log directive](https://nginx.org/en/docs/ngx_core_module.html#error_log)
 can be defined/overriden in any context. The directive in the main context
 defines the log file to use unless otherwise overriden (at http, server or location
 level). This must point to a location writable to the webserver user.
@@ -50,6 +50,6 @@ to where you would like log files to be located. e.g.:
 
 ## pid
 
-The [pid directive](http://nginx.org/en/docs/ngx_core_module.html#pid) is used
+The [pid directive](https://nginx.org/en/docs/ngx_core_module.html#pid) is used
 by nginx to store the process id of the main process. This must point to a writable
 location.

h5bp/directive-only/cross-domain-insecure.conf

@@ -1,6 +1,6 @@
 # Cross domain AJAX requests
 
-# http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
+# https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
 
 # **Security Warning**
 # Do not use this without understanding the consequences.

h5bp/directive-only/extra-security.conf

@@ -10,7 +10,7 @@ add_header X-Content-Type-Options nosniff always;
 # The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
 add_header X-XSS-Protection "1; mode=block" always;
 
-# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
+# with Content Security Policy (CSP) enabled (and a browser that supports it (https://caniuse.com/#feat=contentsecuritypolicy),
 # you can tell the browser that it can only download content from the domains you explicitly allow
 # CSP can be quite difficult to configure, and cause real issues if you get it wrong
 # There is website that helps you generate a policy here http://cspisawesome.com/

h5bp/directive-only/ssl.conf

@@ -21,7 +21,7 @@ ssl_session_timeout  24h;
 # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
 # when a restart is performed the previous key is lost, which resets all previous
 # sessions. The fix for this is to setup a manual rotation mechanism:
-# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
+# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
 #
 # Note that you'll have to define and rotate the keys securely by yourself. In absence
 # of such infrastructure, consider turning off session tickets:

nginx.conf

@@ -1,5 +1,5 @@
 # Configuration File - Nginx Server Configs
-# http://nginx.org/en/docs/dirindex.html
+# https://nginx.org/en/docs/dirindex.html
 
 # Run as a unique, less privileged user for security reasons.
 # Default: nobody nobody