Open DinisCruz opened 10 years ago
Very nice, does this procedure address the issue presented in HSTS for the first HTTP request where a Eavesdropper could intercept it?
2014-08-11 11:29 GMT-06:00 Dinis Cruz notifications@github.com:
This is submitted here https://hstspreload.appspot.com/
At the moment (with 3.4) we get this
[image: image] https://cloud.githubusercontent.com/assets/656739/3879837/e4138d24-217c-11e4-8942-89d46e852cda.png
The max-age is fixed in 3.5, but I don't think we have the includeSubdomains token
— Reply to this email directly or view it on GitHub https://github.com/TeamMentor/Master/issues/875.
Michael Hidalgo http://michaelhidalgocr.blogspot.com
The future has many names: For the weak, it means the unattainable. For the fearful, it means the unknown. For the courageous, it means opportunity. (1802-1885) French Poet, Dramatist, Writer
Yes point of the HSTS is to prevent that first request, and if the browser already knows that it should be in SSL , then even the first request even to that domain will be made in SSL
This is submitted here https://hstspreload.appspot.com/
At the moment (with 3.4) we get this
The max-age is fixed in 3.5, but I don't think we have the includeSubdomains token