After many years of being served over HTTPS, I finally remembered to enable HTTP Strict Transport Security. There was never any reason not to – all traffic to any website or app at goes through my reverse proxy, and it’s served with a wildcard * certficiate. If it doesn’t go through my reverse proxy, that’s a bug, and should be fixed. Several days after making this change, I closed my GMail tab, and typed mail.