Open jbcaprell opened 5 months ago
The preload directive isn’t part of the spec, but it is in wide use as far as these things go:
preload
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
It requires another directive, includeSubdomains, be present; there are a couple of these HSTS Preloading services:
includeSubdomains
https://www.chromium.org/hsts/ https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc
… and they both parse the Strict-Transport-Security header just fine as Plug currently presents it; but it’s probably safer to append them in this order (includeSubdomains first), in case someone parses this header in a less-smart way in the future.
Strict-Transport-Security
The
preload
directive isn’t part of the spec, but it is in wide use as far as these things go:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
It requires another directive,
includeSubdomains
, be present; there are a couple of these HSTS Preloading services:https://www.chromium.org/hsts/ https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc
… and they both parse the
Strict-Transport-Security
header just fine as Plug currently presents it; but it’s probably safer to append them in this order (includeSubdomains
first), in case someone parses this header in a less-smart way in the future.