I don't know if either of these are planned but the move to https for the forums now allows for the use of these features.
I noticed[1] that you already support OCSP but this actually limits coverage since Chrome does not support normal OCSP checking[2] (there are privacy concerns with normal OCSP checking). It should be fairly straightforward to support OCSP stapling. I don't know how much control you have over your nginx configuration but nginx should most definitely support OCSP stapling.
If you have compatibility concerns with supporting HSTS you can set the max age to something short to begin with. It doesn't offer much protection but it gives you time to get the kinks out. I think you lose some of the benefits of HSTS by not supports https across all subdomains but I also think that's not a valid reason not to enable it considering you're already redirecting to https on the forums.
These features may very well be planned but haven't been implemented yet since you just switched over. This was just something I noticed when checking out the ssl test from qualays.
[1] https://dev.ssllabs.com/ssltest/analyze.html?d=forums.anandtech.com&s=23.79.255.218&hideResults=on
[2] https://www.imperialviolet.org/2014/04/19/revchecking.html
I noticed[1] that you already support OCSP but this actually limits coverage since Chrome does not support normal OCSP checking[2] (there are privacy concerns with normal OCSP checking). It should be fairly straightforward to support OCSP stapling. I don't know how much control you have over your nginx configuration but nginx should most definitely support OCSP stapling.
If you have compatibility concerns with supporting HSTS you can set the max age to something short to begin with. It doesn't offer much protection but it gives you time to get the kinks out. I think you lose some of the benefits of HSTS by not supports https across all subdomains but I also think that's not a valid reason not to enable it considering you're already redirecting to https on the forums.
These features may very well be planned but haven't been implemented yet since you just switched over. This was just something I noticed when checking out the ssl test from qualays.
[1] https://dev.ssllabs.com/ssltest/analyze.html?d=forums.anandtech.com&s=23.79.255.218&hideResults=on
[2] https://www.imperialviolet.org/2014/04/19/revchecking.html
Facebook
Twitter