Closed hwdavr closed 3 months ago
The idea is you can configure it for just a single sub-domain:
For example:
config {
excludeHosts = setOf(Host("*.example.com"))
includeHosts = setOf(Host("included.example.com"))
}
Here, any host that is not example.com
will still be fully included, but all sub domains of example.com
are excluded except included.example.com
.
i.e.:
excluded.example.com
IS NOT checked for CTincluded.example.com
IS checked for CTSo basically because all domains are included for CT checks by default (stricter security by default) we check for exclusions first and if there is no exclusion rules for a host then any inclusion rules are redundant. Hope that makes sense.
Not sure if this is an intentional design or a bug. From the below code in the library, if the host is not part of the excludeHosts,
excludeHosts.any { it.matches(host) }
will be false, and the whole condition return true, and the host will be checked for certificate transparency. Why the library have both excludeHosts and includeHosts? To me, we just need one of them.