Contents: Webserver: Header Strict-Transport-Security "... includeSubDomains"

BetterCrypto / Applied-Crypto-Hardening

Best Current Practices regarding secure online communication and configuration of services using cryptography.

https://bettercrypto.org

704 stars 99 forks source link

Contents: Webserver: Header Strict-Transport-Security "... includeSubDomains" #336

Open joergzimmermann opened 5 years ago

joergzimmermann commented 5 years ago

Header Strict-Transport-Security "... includeSubDomains": we need to meed to mention that this can be a big pitfall.

joergzimmermann commented 5 years ago

Header Strict-Transport-Security "... includeSubDomains": we need to meed to mention that this can be a big pitfall. Also do some more research on this! For example: https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec#section-6.1 fix lighttpd HTTP redirection and env vars lighthttpd: ssl.ec-curve = "secp384" ssl.dh-file = "/etc/lighttpd/dhparams-group16.pem" ssl.ec-curve = "secp384r1"