To my amazement, when I tried
http://micro.blog/homepage, it didn’t redirect me to the secure
https://micro.blog/homepage. I think this is an oversight, since insecure connections can lead to all kind of mischief. It applies to any subdirectory of the root directory, as far as I could see.
It seems to me that HTTP Strict Transport Security should apply to the whole site, not just the main landing page in the site’s root.
I’m sorry if this post is inappropriate. There doesn’t seem to be a separate secure channel (I could find) to report possible security bugs, though this one is minor enough to share publicly.