Open FozzieHi opened 4 years ago
Displax
commented
4 years ago It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.
FozzieHi
commented
4 years ago It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.
It's not preloaded, max age needs to be 31536000 and then the domain needs to be submitted via https://hstspreload.org
FozzieHi
commented
4 years ago It is true, I'm talking about preloading as explained in the title and the comment you quoted.
Yes you can have HSTS without it being preloaded but to be preloaded you need the requirements which I said. I don't see how you think it's stupid, if an attacker wanted to MITM a user and they have never visited the website before then they could as the first request will be using HTTP unless you have an extension like HTTPS Everywhere.
FozzieHi
commented
4 years ago This is IMHO, very improbable. Anyway, next time when the site will be visited, it will be redirected to https and then HSTS'd foreVa!
Not forever, it follows the max-age in the HSTS header.
However improbable you think it is I don't find a reason for this not to be preloaded, unless Cloudflare feels like it might lose HTTPS compatibility in the future.
HSTS should be preloaded https://hstspreload.org/?domain=isbgpsafeyet.com