Require that the HTTP->HTTPS redirect also sends an HSTS header.

chromium / hstspreload

🔒🔍 A Go package to scan sites against requirements for Chromium-maintained HSTS preload list.

https://hstspreload.org

BSD 3-Clause "New" or "Revised" License

116 stars 37 forks source link

Require that the HTTP->HTTPS redirect also sends an HSTS header. #50

Closed lgarron closed 8 years ago

lgarron commented 8 years ago

If the redirect is http://example.com to https://example.com/landing.html (rather than https://example.com/), then https://example.com/landing.html sound send a valid HSTS header with the same dynamic semantics as the preload requirements.