where would one keep up with stuff like that other than keeping up with new rfc's?
SSL/TLS Deployment Best Practices
It seems even github is susceptible to this. That is, for people who type www.github.com into their browser rather than github.com. They both did the redirect wrong, as well as left off HSTS of https://www.github.com.