Closed mejofi closed 7 months ago
Oh, and minor niggle; example.com is a second-level domain, not first level 😄
🤦♂️
FYI: that term came from the tld
library that I'm using.
These checks were not really designed with subdomains in mind. Working with subdomains while keeping the tool dependency free is tricky. Plus the number of requests this tool makes is increasing and always in the back of my mind.
preload
I agree should only be present on the second-level domain, and I will update the check to reflect that soon (just need to think about how to determine if it's a second-level domain or not)includeSubdomains
I believe can exist on subdomains (to indicate that subdomains of that subdomain require HTTPS) but that also means that we should check all parent domains for the header before marking this as a failure.I'll work on both of these at some point soon.
You can use the publicsuffix2
module for this;
https://pypi.org/project/publicsuffix2/
This uses the Public Suffix List maintained by Mozilla, and allows you to distinguish between, say, example.com
and example.co.uk
with just a few lines of code.
Also incorporates usage with domains where subdomains are individual users, such as 'github.io' and the like, so for some subdomains it may require an extra logic that I have not had to deal with before 🤔
I forgot to write this up yesterday, but this is done and should be working in v1.5.0
.
The behaviour is documented on the release, but to put it here too:
Feel free to reopen this if it doesn't handle your use case properly.
Nice, thanks! 🙂
[ OK ] HSTS Header should have includeSubDomains (max-age=63072000; includeSubDomains; preload (from apex domain))
[ OK ] HSTS Header should have preload and includeSubDomains (max-age=63072000; includeSubDomains; preload (from apex domain))
Version: 1.2.1
If my understanding of the spec isn't deserting me, the
preload
statement in the HSTS header is only relevant for requests to the apex, such ashttps://hsts.example/
, and not for subdomains, since subdomains cannot be preloaded. This means that, for something likehttps://subdomain.hsts.example/
, the following should pass;as long as
hsts.example
has the proper header set, like this;This probably goes for the
includeSubDomains
test as well?Example:
ipv4.ur.nl
currently fails those two tests;Oh, and minor niggle;
example.com
is a second-level domain, not first level 😄https://en.wikipedia.org/wiki/Second-level_domain
Example: