Skip to content
This repository has been archived by the owner on Feb 21, 2019. It is now read-only.

IETF compliance? #44

Open
soferio opened this issue May 7, 2016 · 0 comments
Open

IETF compliance? #44

soferio opened this issue May 7, 2016 · 0 comments

Comments

@soferio
Copy link

soferio commented May 7, 2016
edited
Loading

Is there a problem that the STS header is also sent over an HTTP link on the first return?

See this line in para [7.2] at : http://tools.ietf.org/html/rfc6797:

_ "...An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport."_

It seems that the "set_hsts_header" function should be modified to only set the header if the connection occurs over an https link. I am not 100% what the security issue is - but the standard does seem to require this. Does that seem correct to people?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@soferio