Open sayaHub opened 5 years ago
Can you point to an existing domain in this situation @sayaHub ?
Point 3 there seems to imply a secure endpoint is downgrading to an insecure path.. That feels pretty "wrong".
for point 3, we feel the same way, we don't understand why the configuration will be setup that way. We are trying to write up more about the right way to do redirection ...I ping you on slack about the domain example.
Example of a misconfigured redirection...
The logic of how pshtt chooses the 'best' endpoint to use could be changed, but it'd probably just be easier to fix the domains showing issues.
fyi, issue mentioned in original library : https://github.com/cisagov/pshtt/issues/89#issue
Use case:
Even if we feed the scanner with a root endpoint that is secured and properly redirect to the eventual secure endpoint, tracker seems to set the canonical url to httpswww. Where there are httpswww configuration issues, it significantly impact the root domain scan result because the httpswww is chosen.
Question: should Tracker choose to scan the secure root endpoint if Live instead of httpswww?