-
-
Consider enabling HTTPS and HTTP Strict Transport Security.
-
### Is your feature request related to a problem? Please describe.
Yes, the issue is that the cookie set by `next-intl` does not have the `HttpOnly` flag. This can present a security risk because coo…
-
http://hstscookie.ca/ has a demo fro storing cookies via HSTS browser records:
From the site "The HSTS cookie cannot be removed by clearing your cookies. It will be deleted if you clear 'site prefere…
-
What do you think about enabling HSTS as the default?
-
HSTS, or HTTP Strict Transport Security, is a new thing that forces client browsers to use HTTPS instead of HTTP. Look into Heroku and see if it's something we have to purchase, or simply turn on.
-
See https://forums.aws.amazon.com/thread.jspa?threadID=162252#jive-message-778226. Once @tobie has shared access details to the S3 instance I'd be willing to take a look at this, but no rush I think.
-
In your nginx/etc server config can you add:
`add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";`
This will prevent TLS downgrades when browsing slimerjs.org
-
I just emailed Alexey on an unrelated topic, and he suggested that STS should be using a new registry. "On a somewhat related note: are you updating your draft to use HSTS IANA registry (as per Chris …
-
https://hstspreload.org/