Add a warning if HTTP->HTTPS redirects are not permanent (301/308)

chromium / hstspreload

🔒🔍 A Go package to scan sites against requirements for Chromium-maintained HSTS preload list.

https://hstspreload.org

BSD 3-Clause "New" or "Revised" License

114 stars 37 forks source link

Add a warning if HTTP->HTTPS redirects are not permanent (301/308) #93

Open lgarron opened 7 years ago

lgarron commented 7 years ago

Or maybe an error?

@ivanr's Hardenize checks for this.

ivanr commented 7 years ago

When I added the check I thought that having a permanent redirection is a preloading requirement. Looking at the web site right now, that doesn't seem to be the case. So my message will need to be toned down to promote permanent redirection as HSTS best policy only.

That said, I think there's some value in requiring permanent redirects for consistency with the RFC and as a small barrier to prevent preloading by mistake.