docs: upgrade http links to https; fix broken link

CONTRIBUTING.md

@@ -4,7 +4,7 @@ Helmet welcomes contributors! This guide should help you submit issues and pull
 
 ## Got a question, problem, or feature request?
 
-The documentation and [Stack Overflow](http://stackoverflow.com/questions/tagged/helmet.js) are good places to start.
+The documentation and [Stack Overflow](https://stackoverflow.com/questions/tagged/helmet.js) are good places to start.
 
 Feel free to [add an issue](https://github.com/helmetjs/helmet/issues) if those don't help!
 

README.md

@@ -1,6 +1,6 @@
 # Helmet
 
-[![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet)
+[![npm version](https://badge.fury.io/js/helmet.svg)](https://badge.fury.io/js/helmet)
 [![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield)
 

middlewares/content-security-policy/README.md

@@ -2,7 +2,7 @@
 
 Content Security Policy (CSP) helps prevent unwanted content from being injected/loaded into your webpages. This can mitigate cross-site scripting (XSS) vulnerabilities, clickjacking, formjacking, malicious frames, unwanted trackers, and other web client-side attacks.
 
-If you want to learn how CSP works, check out the fantastic [HTML5 Rocks guide](http://www.html5rocks.com/en/tutorials/security/content-security-policy/), the [Content Security Policy Reference](http://content-security-policy.com/), and the [Content Security Policy specification](http://www.w3.org/TR/CSP/).
+If you want to learn how CSP works, check out the fantastic [HTML5 Rocks guide](https://www.html5rocks.com/en/tutorials/security/content-security-policy/), the [Content Security Policy Reference](https://content-security-policy.com/), and the [Content Security Policy specification](https://www.w3.org/TR/CSP/).
 
 This middleware helps set Content Security Policies.
 
@@ -62,5 +62,5 @@ app.use((req, res) => {
 
 - [Google's CSP Evaluator tool](https://csp-evaluator.withgoogle.com/)
 - [CSP Scanner](https://cspscanner.com/)
-- [GitHub's CSP journey](http://githubengineering.com/githubs-csp-journey/)
+- [GitHub's CSP journey](https://githubengineering.com/githubs-csp-journey/)
 - [Content Security Policy for Single Page Web Apps](https://developer.squareup.com/blog/content-security-policy-for-single-page-web-apps/)

middlewares/strict-transport-security/README.md

@@ -1,6 +1,6 @@
 # HTTP Strict Transport Security middleware
 
-This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to _switch_ to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module.
+This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](https://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to _switch_ to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module.
 
 This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days:
 

middlewares/x-content-type-options/README.md

@@ -4,7 +4,7 @@ Some browsers will try to "sniff" mimetypes. For example, if my server serves _f
 
 Browsers' same-origin policies generally prevent remote resources from being loaded dangerously, but vulnerabilities in web browsers can cause this to be abused. Some browsers, like [Chrome](https://developers.google.com/web/updates/2018/07/site-isolation), will further isolate memory if the `X-Content-Type-Options` header is seen.
 
-There are [some other vulnerabilities](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/), too.
+There are [some other vulnerabilities](https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/), too.
 
 This middleware prevents Chrome, Opera 13+, IE 8+ and [Firefox 50+](https://bugzilla.mozilla.org/show_bug.cgi?id=471020) from doing this sniffing. The following example sets the `X-Content-Type-Options` header to its only option, `nosniff`:
 
@@ -13,4 +13,4 @@ const dontSniffMimetype = require("dont-sniff-mimetype");
 app.use(dontSniffMimetype());
 ```
 
-[MSDN has a good description](http://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx) of how browsers behave when this header is sent.
+[MSDN has a good description](https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx) of how browsers behave when this header is sent.

middlewares/x-download-options/README.md

@@ -7,6 +7,6 @@ const ienoopen = require("ienoopen");
 app.use(ienoopen());
 ```
 
-Some web applications will serve untrusted HTML for download. By default, some versions of IE will allow you to open those HTML files _in the context of your site_, which means that an untrusted HTML page could start doing bad things in the context of your pages. For more, see [this MSDN blog post](https://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx).
+Some web applications will serve untrusted HTML for download. By default, some versions of IE will allow you to open those HTML files _in the context of your site_, which means that an untrusted HTML page could start doing bad things in the context of your pages. For more, see [this MSDN blog post](https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-v-comprehensive-protection).
 
 This is pretty obscure, fixing a small bug on IE only. No real drawbacks other than performance/bandwidth of setting the headers, though.