parkr
commented
6 years ago @lgarron Hello! At the moment, we don't have a way to allow users to configure HSTS. Also, I see you have choosealicense.org in your issue, but I believe we're talking about choosealicense.com in this repo, right?
I took a look at a chromium hstspreload checker locally and it seems we have some extra work to do if we are to support this:
~$ hstspreload +d choosealicense.com
Checking domain choosealicense.com for preload requirements...
Observed header: max-age=31557600
Errors:
1. No includeSubDomains directive [header.preloadable.include_sub_domains.missing]
The header must contain the `includeSubDomains` directive.
2. No preload directive [header.preloadable.preload.missing]
The header must contain the `preload` directive.
3. www subdomain does not support HTTPS [domain.www.no_tls]
Domain error: The www subdomain exists, but we couldn't connect to it using HTTPS ("x509: certificate is valid for www.github.com, *.github.io, *.githubusercontent.com, *.github.com, github.com, github.io, githubusercontent.com, not www.choosealicense.com"). Since many people type this by habit, HSTS preloading would likely cause issues for your site.
Warning:
1. Unnecessary HSTS header over HTTP [redirects.http.useless_header]
The HTTP page at http://choosealicense.com sends an HSTS header. This has no effect over HTTP, and should be removed.
lgarron
choosealicense.org has HSTS due to #483.
It would be great to go all the way and preload HSTS: https://hstspreload.org/?domain=choosealicense.org
Steps would be:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadchoosealicense.orgcan be accessed from curl/golang? (this times out from HQ).@parkr: could you help me find where the HSTS header served by choosealicense.org is configured?